Systems and methods for providing IIP address stickiness in an SSL VPN session failover environment

ABSTRACT

The SSL VPN session failover solution of the appliance and/or client agent described herein provides an environment for handling IP address assignment and end point re-authorization upon failover. The appliances may be deployed to provide a session failover environment in which a second appliance is a backup to a first appliance when a failover condition is detected, such as failure in operation of the first appliance. The backup appliance takes over responsibility for SSL VPN sessions provided by the first appliance. In the failover environment, the first appliance propagates SSL VPN session information including user IP address assignment and end point authorization information to the backup appliance. The backup appliance maintains this information. Upon detection of failover of the first appliance, the backup appliance activates the transferred SSL VPN session and maintains the user assigned IP addresses. The backup appliance may also re-authorize the client for the transferred SSL VPN session.

FIELD OF THE INVENTION

The present invention generally relates to data communication networksand, in particular, to systems and methods for performing SSL VPNsession failover.

BACKGROUND OF THE INVENTION

A typical computer system uses a single internet protocol (IP) addressassigned to the computer system. Any user session or program on thecomputer will use the IP address of the computer for networkcommunications on a TCP/IP network. Communications over the network toand from the computer, for example between a client and a server, usethe computer's IP address as part of the network communications of thecomputer. In a virtual private network environment, a remote user mayestablish a virtual private network connection from a client to a secondnetwork, such as via an SSL VPN connection from a client on a publicnetwork to a server on a private network. On the second network, asecond IP address is used for communications between the client and theserver.

A user of the virtual private network may log in via the same computingdevice or roam between computing devices. For each login session, adifferent second IP address may be used for virtual private networkcommunications. Also, for each computing device of the user, a differentsecond IP address may be used for virtual private networkcommunications. As such, the user and/or computing device of the usermay be associated with different IP addresses on the virtual privatenetwork at various times. In some cases, the user may have multiplevirtual private network sessions concurrently, and thus, multiple IPaddresses on the private network. Identifying, tracking or managing thevirtual private network addresses of remote users is challenging, andmay be compounded in an environment with a multitude of remote virtualprivate network users.

One challenge with assigning IP addresses for users of a virtual privatenetwork is handling failures with devices providing the IP address. Afirst device, such as a gateway, may assign the user a first IP addressfor use on a private network. The first device may experience a failure.The user may need to gain access to the private network via a seconddevice, such as a second gateway. This second device may assign the usera second IP address for use on the private network. This may causeproblems in communications with the private network as the client,applications and/or a server may expect the user to be using the firstIP address.

Another challenge with failovers in a virtual private networkenvironment is security. A gateway device providing VPN connectivity mayauthorize a client to access the network. The gateway may check if theclient device has attributes meeting one or more conditions foraccessing the network. For example, the gateway may check if the clienthas security software installed or the appropriate operating systempatch. Upon authorization, a user may access the private network via thegateway such as via a SSL VPN session. At some point, the gateway mayfail or operation may be interrupted. The client may re-establish theSSL VPN session with the network. However, the attributes of the clientupon which the client was authorized may have changed since establishingthe session. For example, security software or operating system patcheson the device may have been installed or removed. This may leave thenetwork vulnerable to these changes when re-establishing sessions withpreviously authorized clients.

BRIEF SUMMARY OF THE INVENTION

The SSL VPN session failover solution of the appliance and/or clientagent described herein provides an environment for handling IP addressassignment and end point re-authorization upon failover. The appliancesmay be deployed to provide a session failover environment in which asecond appliance is a backup to a first appliance when a failovercondition is detected, such as failure in operation of the firstappliance. The backup appliance takes over responsibility for SSL VPNsessions provided by the first appliance. In a failover environment, thefirst appliance propagates SSL VPN session information including user IPaddress assignment and end point authorization information to the backupappliance. The backup appliance maintains this information. Upondetection of failover of the first appliance, the backup applianceactivates the transferred SSL VPN session and maintains the userassigned IP addresses. The backup appliance may also re-authorize theclient for the transferred SSL VPN session.

In one case, the appliance provides techniques and policies forassigning previously assigned virtual private network addresses,referred to as Intranet IP (IIP) addresses, of a user to subsequentsessions of the user as the user logs in multiple times or roams betweenaccess points. This technique is referred to IIP stickiness as theappliance attempts to provide the same IIP address to a reconnecting VPNuser. In the case of appliance failover, in which a backup appliancetakes over responsibility for a user's SSL VPN session, the appliancesprovide seamless IIP address stickiness for the user as the SSL VPNsession is transferred to the backup appliance. The user continues hisor her SSL VPN session with the backup appliance using one of thepreviously assigned IIP addresses of the user.

In another case, the appliance provides for end point detection andre-authorization of the client upon transfer of a user's SSL VPN sessionfrom a first appliance to a backup appliance. The appliance providestechniques for performing end point detection and authorization usingpolicy-based client security strings to determine attributes of theclient device. Depending on the values and evaluation of these clientsecurity strings, the appliance may authorize the client to access thevirtual private network in accordance with one or more policies. Anauthorized client may establish an SSL VPN session with the firstappliance. The first appliance may experience a failover condition andthe SSL VPN session is transferred to a backup appliance. Although theclient was authorized by the first appliance for the SSL VPN session,the backup appliance performs end point detection and re-authorizationclient for the transferred SSL VPN session using the client securitystring.

In some aspects the present invention relates to a system and method ofmaintaining a user's intranet internet protocol address upon failover ofa client's secure socket layer virtual private network (SSL VPN) sessionfrom a first appliance to a second appliance. A second appliancereceives information from a first appliance. The information identifiesone or more intranet internet protocol (IIP) addresses assigned to afirst user for accessing a network via a first secure socket layervirtual private network (SSL VPN) session provided by the firstappliance. The second appliance detects the first appliance isunavailable to provide the first SSL VPN session to the network Thesecond appliance receives a request from the client operated by thefirst user to establish a second SSL VPN session with the network. Thesecond appliance assigns to the client a first intranet internetprotocol address previously assigned to the first user from the one ormore intranet internet protocol addresses as an internet protocoladdress on the network.

In one embodiment, the second appliance provides SSL VPN connectivity tothe network in response to the detection. In another embodiment, thesecond appliance assigns a least recently or a most recently usedintranet internet protocol address of the one or more intranet internetprotocol addresses as the first intranet internet protocol address. Insome embodiments, the second appliance assigns a least used or a mostused intranet internet protocol address of the one or more intranetinternet protocol addresses as the first intranet internet protocoladdress. In another embodiment, the second appliance assigns the firstintranet internet protocol address from the one or more intranetinternet protocol addresses responsive to a policy of a policy engine.

In other embodiments, the second appliance determines an inactiveintranet internet protocol address from the plurality of intranetinternet protocol addresses as the first intranet internet protocoladdress. In one embodiment, the second appliance identifies a policyspecifying a domain name suffix to append to an identifier of the userto provide a user domain name. In some embodiments, the second applianceassociates the user domain name with the first intranet internetprotocol address.

In some embodiments, the second appliance receives one or moreclient-side attributes of the client, such as via end point detection.For example, the second appliance may transmit a request to the clientto evaluate at least one clause of a security string. The clause mayinclude an expression associated with a client-side attribute. Thesecond appliance may receive a result of the client's evaluation of theat least one clause. The second appliance assigns the client to anauthorization group based on the one or more client-side attributes.

In other aspects, the present invention relates to a system and methodof performing authorization of a client's secure socket layer virtualprivate network (SSL VPN) session transferred upon failover from a firstappliance to a second appliance. The second appliance receives from thefirst appliance, information identifying a security string used by thefirst appliance to authorize a secure socket layer virtual privatenetwork (SSL VPN) session established between a client and a network.The second appliance detects the first appliance is unavailable tocontinue the SSL VPN session. The second appliance provides the SSL VPNsession for the client in response to the detection. The secondappliance places the SSL VPN session on hold until the client isauthorized by the second appliance. The t second appliance transmits arequest to the client to evaluate at least one clause of the securitystring. The at least one clause includes an expression identifying aclient-side attribute.

In one embodiment, the second appliance activates the on hold SSL VPNsession upon receiving a predetermined result from evaluation of theleast one clause of the security string. In another embodiment, thesecond appliance assigns the client to an authorization group based on aresult from evaluation of the at least one clause. In some embodiments,the second appliance transmits the request to a collection agent on theclient. The collection agent gathers information associated with theclient-side attribute and evaluates the at least one clause. In otherembodiments, the second appliance receives from the client in responseto the request a result from evaluation of the at least one clauseproviding the client-side attribute.

The client side attribute may indicate a presence on the client of anyof the following: a version of an operating system, a service pack ofthe operating system, a running service, a running process, and a file.The client-side attribute may also indicate a presence on the client ofany one or more of the following: antivirus software, personal firewallsoftware, anti-spam software, and internet security software.

In some embodiments, the second appliance, responsive to a result fromevaluation of the at least one clause, determines that the client lacksa desired client-side attribute. In response to the determination thesecond appliance may maintain the SSL VPN session on hold. The secondappliance may determining from a result from evaluation of the at leastone clause that the client-side attribute is not set to a value inaccordance with a policy. The second appliance may continue to keep theSSL VPN session on hold in response to the determination.

In another embodiment, the second appliance assigns the client to anauthorization group providing quarantined access to the network inresponse to a result from evaluation of the at least one clause. Thesecond appliance then may activate the SSL VPN session. In otherembodiments, the second appliance assigns the client to an authorizationgroup responsive to an application of a policy by a policy engine to aresult from evaluation of the at least one clause, and then may activatethe SSL VPN session.

The details of various embodiments of the invention are set forth in theaccompanying drawings and the description below.

BRIEF DESCRIPTION OF THE FIGURES

The foregoing and other objects, aspects, features, and advantages ofthe invention will become more apparent and better understood byreferring to the following description taken in conjunction with theaccompanying drawings, in which:

FIG. 1A is a block diagram of an embodiment of a network environment fora client to access a server via an appliance;

FIG. 1B is a block diagram of an embodiment of an environment fordelivering a computing environment from a server to a client via anappliance;

FIGS. 1C and 1D are block diagrams of embodiments of a computing device;

FIG. 2A is a block diagram of an embodiment of an appliance forprocessing communications between a client and a server;

FIG. 2B is a block diagram of another embodiment of an appliance foroptimizing, accelerating, load-balancing and routing communicationsbetween a client and a server;

FIG. 3 is a block diagram of an embodiment of a client for communicatingwith a server via the appliance;

FIG. 4 is a block diagram of an embodiment of an appliance and clientproviding an Intranet Internet Protocol (IIP) environment;

FIG. 5 is a flow diagram depicting steps of an embodiment of a methodfor practicing a technique for assigning an IIP address to a user;

FIG. 6A is a block diagram of an embodiment of a network environmentproviding policy-based access to application programs for a localmachine;

FIG. 6B is a block diagram depicting a more detailed embodiment of apolicy engine;

FIG. 6C a flow diagram depicting one embodiment of the steps taken by apolicy engine to make an access control decision based upon informationreceived about a local machine;

FIG. 7 is a flow diagram depicting an embodiment of steps taken in amethod for authorizing a level of access of a client to a virtualprivate network connection based on a client-side attribute; and

FIG. 8 is a block diagram depicting an embodiment of a system forauthorizing a level of access of a client to a virtual private networkconnection based on a client-side attribute.

FIG. 9 is a block diagram depicting an embodiment of a session failoverenvironment;

FIG. 10A is a flow diagram depicting steps of an embodiment ofmaintaining IIP addresses of a user via session failover;

FIG. 10B is a diagram depicting example embodiments of user scenarios ofmaintaining IIP address information via session failover; and

FIG. 11 is a flow diagram depicting steps of an embodiment forperforming end point authorization upon failover.

The features and advantages of the present invention will become moreapparent from the detailed description set forth below when taken inconjunction with the drawings, in which like reference charactersidentify corresponding elements throughout. In the drawings, likereference numbers generally indicate identical, functionally similar,and/or structurally similar elements.

DETAILED DESCRIPTION OF THE INVENTION

For purposes of reading the description of the various embodiments ofthe present invention below, the following descriptions of the sectionsof the specification and their respective contents may be helpful:

-   -   Section A describes a network environment and computing        environment useful for practicing an embodiment of the present        invention;    -   Section B describes embodiments of a system and appliance        architecture for accelerating delivery of a computing        environment to a remote user;    -   Section C describes embodiments of a client agent for        accelerating communications between a client and a server;    -   Section D describes embodiments of an appliance environment for        managing Intranet Internet Protocol (IIP) addresses;    -   Section E describes embodiments of systems and methods for        maintaining Intranet Internet Protocol (IIP) address        “stickiness” to a user;    -   Section F describes embodiments of systems and methods for end        point detection and authorization using client security strings;    -   Section G describes embodiments of an environment for SSL VPN        session failover via appliances;    -   Section H describes embodiments of systems and methods for        maintaining Intranet Internet Protocol (IIP) addresses upon SSL        VPN session failover; and    -   Section I describes embodiments of systems and methods for end        point reauthorization upon SSL VPN session failover.        A. Network and Computing Environment

Prior to discussing the specifics of embodiments of the systems andmethods of an appliance and/or client, it may be helpful to discuss thenetwork and computing environments in which such embodiments may bedeployed. Referring now to FIG. 1A, an embodiment of a networkenvironment is depicted. In brief overview, the network environmentcomprises one or more clients 102 a-102 n (also generally referred to aslocal machine(s) 102, or client(s) 102) in communication with one ormore servers 106 a-106 n (also generally referred to as server(s) 106,or remote machine(s) 106) via one or more networks 104, 104′ (generallyreferred to as network 104). In some embodiments, a client 102communicates with a server 106 via an appliance 200.

Although FIG. 1A shows a network 104 and a network 104′ between theclients 102 and the servers 106, the clients 102 and the servers 106 maybe on the same network 104. The networks 104 and 104′ can be the sametype of network or different types of networks. The network 104 and/orthe network 104′ can be a local-area network (LAN), such as a companyIntranet, a metropolitan area network (MAN), or a wide area network(WAN), such as the Internet or the World Wide Web. In one embodiment,network 104′ may be a private network and network 104 may be a publicnetwork. In some embodiments, network 104 may be a private network andnetwork 104′ a public network. In another embodiment, networks 104 and104′ may both be private networks. In some embodiments, clients 102 maybe located at a branch office of a corporate enterprise communicatingvia a WAN connection over the network 104 to the servers 106 located ata corporate data center.

The network 104 and/or 104′ be any type and/or form of network and mayinclude any of the following: a point to point network, a broadcastnetwork, a wide area network, a local area network, a telecommunicationsnetwork, a data communication network, a computer network, an ATM(Asynchronous Transfer Mode) network, a SONET (Synchronous OpticalNetwork) network, a SDH (Synchronous Digital Hierarchy) network, awireless network and a wireline network. In some embodiments, thenetwork 104 may comprise a wireless link, such as an infrared channel orsatellite band. The topology of the network 104 and/or 104′ may be abus, star, or ring network topology. The network 104 and/or 104′ andnetwork topology may be of any such network or network topology as knownto those ordinarily skilled in the art capable of supporting theoperations described herein.

As shown in FIG. 1A, the appliance 200, which also may be referred to asan interface unit 200 or gateway 200, is shown between the networks 104and 104′. In some embodiments, the appliance 200 may be located onnetwork 104. For example, a branch office of a corporate enterprise maydeploy an appliance 200 at the branch office. In other embodiments, theappliance 200 may be located on network 104′. For example, an appliance200 may be located at a corporate data center. In yet anotherembodiment, a plurality of appliances 200 may be deployed on network104. In some embodiments, a plurality of appliances 200 may be deployedon network 104′. In one embodiment, a first appliance 200 communicateswith a second appliance 200′. In other embodiments, the appliance 200could be a part of any client 102 or server 106 on the same or differentnetwork 104,104′ as the client 102. One or more appliances 200 may belocated at any point in the network or network communications pathbetween a client 102 and a server 106.

In one embodiment, the system may include multiple, logically-groupedservers 106. In these embodiments, the logical group of servers may bereferred to as a server farm 38. In some of these embodiments, theserves 106 may be geographically dispersed. In some cases, a farm 38 maybe administered as a single entity. In other embodiments, the serverfarm 38 comprises a plurality of server farms 38. In one embodiment, theserver farm executes one or more applications on behalf of one or moreclients 102.

The servers 106 within each farm 38 can be heterogeneous. One or more ofthe servers 106 can operate according to one type of operating systemplatform (e.g., WINDOWS NT, manufactured by Microsoft Corp. of Redmond,Wash.), while one or more of the other servers 106 can operate onaccording to another type of operating system platform (e.g., Unix orLinux). The servers 106 of each farm 38 do not need to be physicallyproximate to another server 106 in the same farm 38. Thus, the group ofservers 106 logically grouped as a farm 38 may be interconnected using awide-area network (WAN) connection or medium-area network (MAN)connection. For example, a farm 38 may include servers 106 physicallylocated in different continents or different regions of a continent,country, state, city, campus, or room. Data transmission speeds betweenservers 106 in the farm 38 can be increased if the servers 106 areconnected using a local-area network (LAN) connection or some form ofdirect connection.

Servers 106 may be referred to as a file server, application server, webserver, proxy server, or gateway server. In some embodiments, a server106 may have the capacity to function as either an application server oras a master application server. In one embodiment, a server 106 mayinclude an Active Directory. The clients 102 may also be referred to asclient nodes or endpoints. In some embodiments, a client 102 has thecapacity to function as both a client node seeking access toapplications on a server and as an application server providing accessto hosted applications for other clients 102 a-102 n.

In some embodiments, a client 102 communicates with a server 106. In oneembodiment, the client 102 communicates directly with one of the servers106 in a farm 38. In another embodiment, the client 102 executes aprogram neighborhood application to communicate with a server 106 in afarm 38. In still another embodiment, the server 106 provides thefunctionality of a master node. In some embodiments, the client 102communicates with the server 106 in the farm 38 through a network 104.Over the network 104, the client 102 can, for example, request executionof various applications hosted by the servers 106 a-106 n in the farm 38and receive output of the results of the application execution fordisplay. In some embodiments, only the master node provides thefunctionality required to identify and provide address informationassociated with a server 106′ hosting a requested application.

In one embodiment, the server 106 provides functionality of a webserver. In another embodiment, the server 106 a receives requests fromthe client 102, forwards the requests to a second server 106 b andresponds to the request by the client 102 with a response to the requestfrom the server 106 b. In still another embodiment, the server 106acquires an enumeration of applications available to the client 102 andaddress information associated with a server 106 hosting an applicationidentified by the enumeration of applications. In yet anotherembodiment, the server 106 presents the response to the request to theclient 102 using a web interface. In one embodiment, the client 102communicates directly with the server 106 to access the identifiedapplication. In another embodiment, the client 102 receives applicationoutput data, such as display data, generated by an execution of theidentified application on the server 106.

Referring now to FIG. 1B, a network environment for delivering and/oroperating a computing environment on a client 102 is depicted. In someembodiments, a server 106 includes an application delivery system 190for delivering a computing environment or an application and/or datafile to one or more clients 102. In brief overview, a client 10 is incommunication with a server 106 via network 104, 104′ and appliance 200.For example, the client 102 may reside in a remote office of a company,e.g., a branch office, and the server 106 may reside at a corporate datacenter. The client 102 comprises a client agent 120, and a computingenvironment 15. The computing environment 15 may execute or operate anapplication that accesses, processes or uses a data file. The computingenvironment 15, application and/or data file may be delivered via theappliance 200 and/or the server 106.

In some embodiments, the appliance 200 accelerates delivery of acomputing environment 15, or any portion thereof, to a client 102. Inone embodiment, the appliance 200 accelerates the delivery of thecomputing environment 15 by the application delivery system 190. Forexample, the embodiments described herein may be used to acceleratedelivery of a streaming application and data file processable by theapplication from a central corporate data center to a remote userlocation, such as a branch office of the company. In another embodiment,the appliance 200 accelerates transport layer traffic between a client102 and a server 106. The appliance 200 may provide accelerationtechniques for accelerating any transport layer payload from a server106 to a client 102, such as: 1) transport layer connection pooling, 2)transport layer connection multiplexing, 3) transport control protocolbuffering, 4) compression and 5) caching. In some embodiments, theappliance 200 provides load balancing of servers 106 in responding torequests from clients 102. In other embodiments, the appliance 200 actsas a proxy or access server to provide access to the one or more servers106. In another embodiment, the appliance 200 provides a secure virtualprivate network connection from a first network 104 of the client 102 tothe second network 104′ of the server 106, such as an SSL VPNconnection. It yet other embodiments, the appliance 200 providesapplication firewall security, control and management of the connectionand communications between a client 102 and a server 106.

In some embodiments, the application delivery management system 190provides application delivery techniques to deliver a computingenvironment to a desktop of a user, remote or otherwise, based on aplurality of execution methods and based on any authentication andauthorization policies applied via a policy engine 195. With thesetechniques, a remote user may obtain a computing environment and accessto server stored applications and data files from any network connecteddevice 100. In one embodiment, the application delivery system 190 mayreside or execute on a server 106. In another embodiment, theapplication delivery system 190 may reside or execute on a plurality ofservers 106 a-106 n. In some embodiments, the application deliverysystem 190 may execute in a server farm 38. In one embodiment, theserver 106 executing the application delivery system 190 may also storeor provide the application and data file. In another embodiment, a firstset of one or more servers 106 may execute the application deliverysystem 190, and a different server 106 n may store or provide theapplication and data file. In some embodiments, each of the applicationdelivery system 190, the application, and data file may reside or belocated on different servers. In yet another embodiment, any portion ofthe application delivery system 190 may reside, execute or be stored onor distributed to the appliance 200, or a plurality of appliances.

The client 102 may include a computing environment 15 for executing anapplication that uses or processes a data file. The client 102 vianetworks 104, 104′ and appliance 200 may request an application and datafile from the server 106. In one embodiment, the appliance 200 mayforward a request from the client 102 to the server 106. For example,the client 102 may not have the application and data file stored oraccessible locally. In response to the request, the application deliverysystem 190 and/or server 106 may deliver the application and data fileto the client 102. For example, in one embodiment, the server 106 maytransmit the application as an application stream to operate incomputing environment 15 on client 102.

In some embodiments, the application delivery system 190 comprises anyportion of the Citrix Access Suite™ by Citrix Systems, Inc., such as theMetaFrame or Citrix Presentation Server™ and/or any of the Microsoft®Windows Terminal Services manufactured by the Microsoft Corporation. Inone embodiment, the application delivery system 190 may deliver one ormore applications to clients 102 or users via a remote-display protocolor otherwise via remote-based or server-based computing. In anotherembodiment, the application delivery system 190 may deliver one or moreapplications to clients or users via steaming of the application.

In one embodiment, the application delivery system 190 includes a policyengine 195 for controlling and managing the access to, selection ofapplication execution methods and the delivery of applications. In someembodiments, the policy engine 195 determines the one or moreapplications a user or client 102 may access. In another embodiment, thepolicy engine 195 determines how the application should be delivered tothe user or client 102, e.g., the method of execution. In someembodiments, the application delivery system 190 provides a plurality ofdelivery techniques from which to select a method of applicationexecution, such as a server-based computing, streaming or delivering theapplication locally to the client 120 for local execution.

In one embodiment, a client 102 requests execution of an applicationprogram and the application delivery system 190 comprising a server 106selects a method of executing the application program. In someembodiments, the server 106 receives credentials from the client 102. Inanother embodiment, the server 106 receives a request for an enumerationof available applications from the client 102. In one embodiment, inresponse to the request or receipt of credentials, the applicationdelivery system 190 enumerates a plurality of application programsavailable to the client 102. The application delivery system 190receives a request to execute an enumerated application. The applicationdelivery system 190 selects one of a predetermined number of methods forexecuting the enumerated application, for example, responsive to apolicy of a policy engine. The application delivery system 190 mayselect a method of execution of the application enabling the client 102to receive application-output data generated by execution of theapplication program on a server 106. The application delivery system 190may select a method of execution of the application enabling the localmachine 10 to execute the application program locally after retrieving aplurality of application files comprising the application. In yetanother embodiment, the application delivery system 190 may select amethod of execution of the application to stream the application via thenetwork 104 to the client 102.

A client 102 may execute, operate or otherwise provide an application,which can be any type and/or form of software, program, or executableinstructions such as any type and/or form of web browser, web-basedclient, client-server application, a thin-client computing client, anActiveX control, or a Java applet, or any other type and/or form ofexecutable instructions capable of executing on client 102. In someembodiments, the application may be a server-based or a remote-basedapplication executed on behalf of the client 102 on a server 106. In oneembodiments the server 106 may display output to the client 102 usingany thin-client or remote-display protocol, such as the IndependentComputing Architecture (ICA) protocol manufactured by Citrix Systems,Inc. of Ft. Lauderdale, Fla. or the Remote Desktop Protocol (RDP)manufactured by the Microsoft Corporation of Redmond, Wash. Theapplication can use any type of protocol and it can be, for example, anHTTP client, an FTP client, an Oscar client, or a Telnet client. Inother embodiments, the application comprises any type of softwarerelated to VoIP communications, such as a soft IP telephone. In furtherembodiments, the application comprises any application related toreal-time data communications, such as applications for streaming videoand/or audio.

In some embodiments, the server 106 or a server farm 38 may be runningone or more applications, such as an application providing a thin-clientcomputing or remote display presentation application. In one embodiment,the server 106 or server farm 38 executes as an application, any portionof the Citrix Access Suite™ by Citrix Systems, Inc., such as theMetaFrame or Citrix Presentation Server™, and/or any of the Microsoft®Windows Terminal Services manufactured by the Microsoft Corporation. Inone embodiment, the application is an ICA client, developed by CitrixSystems, Inc. of Fort Lauderdale, Fla. In other embodiments, theapplication includes a Remote Desktop (RDP) client, developed byMicrosoft Corporation of Redmond, Wash. Also, the server 106 may run anapplication, which for example, may be an application server providingemail services such as Microsoft Exchange manufactured by the MicrosoftCorporation of Redmond, Wash., a web or Internet server, or a desktopsharing server, or a collaboration server. In some embodiments, any ofthe applications may comprise any type of hosted service or products,such as GoToMeeting™ provided by Citrix Online Division, Inc. of SantaBarbara, Calif., WebEx™ provided by WebEx, Inc. of Santa Clara, Calif.,or Microsoft Office Live Meeting provided by Microsoft Corporation ofRedmond, Wash.

The client 102, server 106, and appliance 200 may be deployed as and/orexecuted on any type and form of computing device, such as a computer,network device or appliance capable of communicating on any type andform of network and performing the operations described herein. FIGS. 1Cand 1D depict block diagrams of a computing device 100 useful forpracticing an embodiment of the client 102, server 106 or appliance 200.As shown in FIGS. 1C and 1D, each computing device 100 includes acentral processing unit 101, and a main memory unit 122. As shown inFIG. 1C, a computing device 100 may include a visual display device 124,a keyboard 126 and/or a pointing device 127, such as a mouse. Eachcomputing device 100 may also include additional optional elements, suchas one or more input/output devices 130 a-130 b (generally referred tousing reference numeral 130), and a cache memory 140 in communicationwith the central processing unit 101.

The central processing unit 101 is any logic circuitry that responds toand processes instructions fetched from the main memory unit 122. Inmany embodiments, the central processing unit is provided by amicroprocessor unit, such as: those manufactured by Intel Corporation ofMountain View, Calif.; those manufactured by Motorola Corporation ofSchaumburg, Ill.; those manufactured by Transmeta Corporation of SantaClara, Calif.; the RS/6000 processor, those manufactured byInternational Business Machines of White Plains, N.Y.; or thosemanufactured by Advanced Micro Devices of Sunnyvale, Calif. Thecomputing device 100 may be based on any of these processors, or anyother processor capable of operating as described herein.

Main memory unit 122 may be one or more memory chips capable of storingdata and allowing any storage location to be directly accessed by themicroprocessor 101, such as Static random access memory (SRAM), BurstSRAM or SynchBurst SRAM (BSRAM), Dynamic random access memory (DRAM),Fast Page Mode DRAM (FPM DRAM), Enhanced DRAM (EDRAM), Extended DataOutput RAM (EDO RAM), Extended Data Output DRAM (EDO DRAM), BurstExtended Data Output DRAM (BEDO DRAM), Enhanced DRAM (EDRAM),synchronous DRAM (SDRAM), JEDEC SRAM, PC100 SDRAM, Double Data RateSDRAM (DDR SDRAM), Enhanced SDRAM (ESDRAM), SyncLink DRAM (SLDRAM),Direct Rambus DRAM (DRDRAM), or Ferroelectric RAM (FRAM). The mainmemory 122 may be based on any of the above described memory chips, orany other available memory chips capable of operating as describedherein. In the embodiment shown in FIG. 1C, the processor 101communicates with main memory 122 via a system bus 150 (described inmore detail below). FIG. 1C depicts an embodiment of a computing device100 in which the processor communicates directly with main memory 122via a memory port 103. For example, in FIG. 1D the main memory 122 maybe DRDRAM.

FIG. 1D depicts an embodiment in which the main processor 101communicates directly with cache memory 140 via a secondary bus,sometimes referred to as a backside bus. In other embodiments, the mainprocessor 101 communicates with cache memory 140 using the system bus150. Cache memory 140 typically has a faster response time than mainmemory 122 and is typically provided by SRAM, BSRAM, or EDRAM. In theembodiment shown in FIG. 1C, the processor 101 communicates with variousI/O devices 130 via a local system bus 150. Various busses may be usedto connect the central processing unit 101 to any of the I/O devices130, including a VESA VL bus, an ISA bus, an EISA bus, a MicroChannelArchitecture (MCA) bus, a PCI bus, a PCI-X bus, a PCI-Express bus, or aNuBus. For embodiments in which the I/O device is a video display 124,the processor 101 may use an Advanced Graphics Port (AGP) to communicatewith the display 124. FIG. 1D depicts an embodiment of a computer 100 inwhich the main processor 101 communicates directly with I/O device 130via HyperTransport, Rapid I/O, or InfiniBand. FIG. 1D also depicts anembodiment in which local busses and direct communication are mixed: theprocessor 101 communicates with I/O device 130 using a localinterconnect bus while communicating with I/O device 130 directly.

The computing device 100 may support any suitable installation device116, such as a floppy disk drive for receiving floppy disks such as3.5-inch, 5.25-inch disks or ZIP disks, a CD-ROM drive, a CD-R/RW drive,a DVD-ROM drive, tape drives of various formats, USB device, hard-driveor any other device suitable for installing software and programs suchas any client agent 120, or portion thereof. The computing device 100may further comprise a storage device 128, such as one or more hard diskdrives or redundant arrays of independent disks, for storing anoperating system and other related software, and for storing applicationsoftware programs such as any program related to the client agent 120.Optionally, any of the installation devices 116 could also be used asthe storage device 128. Additionally, the operating system and thesoftware can be run from a bootable medium, for example, a bootable CD,such as KNOPPIX®, a bootable CD for GNU/Linux that is available as aGNU/Linux distribution from knoppix.net.

Furthermore, the computing device 100 may include a network interface118 to interface to a Local Area Network (LAN), Wide Area Network (WAN)or the Internet through a variety of connections including, but notlimited to, standard telephone lines, LAN or WAN links (e.g., 802.11,T1, T3, 56 kb, X.25), broadband connections (e.g., ISDN, Frame Relay,ATM), wireless connections, or some combination of any or all of theabove. The network interface 118 may comprise a built-in networkadapter, network interface card, PCMCIA network card, card bus networkadapter, wireless network adapter, USB network adapter, modem or anyother device suitable for interfacing the computing device 100 to anytype of network capable of communication and performing the operationsdescribed herein. A wide variety of I/O devices 130 a-130 n may bepresent in the computing device 100. Input devices include keyboards,mice, trackpads, trackballs, microphones, and drawing tablets. Outputdevices include video displays, speakers, inkjet printers, laserprinters, and dye-sublimation printers. The I/O devices 130 may becontrolled by an I/O controller 123 as shown in FIG. 1C. The I/Ocontroller may control one or more I/O devices such as a keyboard 126and a pointing device 127, e.g., a mouse or optical pen. Furthermore, anI/O device may also provide storage 128 and/or an installation medium116 for the computing device 100. In still other embodiments, thecomputing device 100 may provide USB connections to receive handheld USBstorage devices such as the USB Flash Drive line of devices manufacturedby Twintech Industry, Inc. of Los Alamitos, Calif.

In some embodiments, the computing device 100 may comprise or beconnected to multiple display devices 124 a-124 n, which each may be ofthe same or different type and/or form. As such, any of the I/O devices130 a-130 n and/or the I/O controller 123 may comprise any type and/orform of suitable hardware, software, or combination of hardware andsoftware to support, enable or provide for the connection and use ofmultiple display devices 124 a-124 n by the computing device 100. Forexample, the computing device 100 may include any type and/or form ofvideo adapter, video card, driver, and/or library to interface,communicate, connect or otherwise use the display devices 124 a-124 n.In one embodiment, a video adapter may comprise multiple connectors tointerface to multiple display devices 124 a-124 n. In other embodiments,the computing device 100 may include multiple video adapters, with eachvideo adapter connected to one or more of the display devices 124 a-124n. In some embodiments, any portion of the operating system of thecomputing device 100 may be configured for using multiple displays 124a-124 n. In other embodiments, one or more of the display devices 124a-124 n may be provided by one or more other computing devices, such ascomputing devices 100 a and 100 b connected to the computing device 100,for example, via a network. These embodiments may include any type ofsoftware designed and constructed to use another computer's displaydevice as a second display device 124 a for the computing device 100.One ordinarily skilled in the art will recognize and appreciate thevarious ways and embodiments that a computing device 100 may beconfigured to have multiple display devices 124 a-124 n.

In further embodiments, an I/O device 130 may be a bridge 170 betweenthe system bus 150 and an external communication bus, such as a USB bus,an Apple Desktop Bus, an RS-232 serial connection, a SCSI bus, aFireWire bus, a FireWire 800 bus, an Ethernet bus, an AppleTalk bus, aGigabit Ethernet bus, an Asynchronous Transfer Mode bus, a HIPPI bus, aSuper HIPPI bus, a SerialPlus bus, a SCI/LAMP bus, a FibreChannel bus,or a Serial Attached small computer system interface bus.

A computing device 100 of the sort depicted in FIGS. 1C and 1D typicallyoperate under the control of operating systems, which control schedulingof tasks and access to system resources. The computing device 100 can berunning any operating system such as any of the versions of theMicrosoft® Windows operating systems, the different releases of the Unixand Linux operating systems, any version of the Mac OS® for Macintoshcomputers, any embedded operating system, any real-time operatingsystem, any open source operating system, any proprietary operatingsystem, any operating systems for mobile computing devices, or any otheroperating system capable of running on the computing device andperforming the operations described herein. Typical operating systemsinclude: WINDOWS 3.x, WINDOWS 95, WINDOWS 98, WINDOWS 2000, WINDOWS NT3.51, WINDOWS NT 4.0, WINDOWS CE, and WINDOWS XP, all of which aremanufactured by Microsoft Corporation of Redmond, Wash.; MacOS,manufactured by Apple Computer of Cupertino, California; OS/2,manufactured by International Business Machines of Armonk, N.Y.; andLinux, a freely-available operating system distributed by Caldera Corp.of Salt Lake City, Utah, or any type and/or form of a Unix operatingsystem, among others.

In other embodiments, the computing device 100 may have differentprocessors, operating systems, and input devices consistent with thedevice. For example, in one embodiment the computer 100 is a Treo 180,270, 1060, 600 or 650 smart phone manufactured by Palm, Inc. In thisembodiment, the Treo smart phone is operated under the control of thePalmOS operating system and includes a stylus input device as well as afive-way navigator device. Moreover, the computing device 100 can be anyworkstation, desktop computer, laptop or notebook computer, server,handheld computer, mobile telephone, any other computer, or other formof computing or telecommunications device that is capable ofcommunication and that has sufficient processor power and memorycapacity to perform the operations described herein.

B. Appliance Architecture

FIG. 2A illustrates an example embodiment of the appliance 200. Thearchitecture of the appliance 200 in FIG. 2A is provided by way ofillustration only and is not intended to be limiting. As shown in FIG.2, appliance 200 comprises a hardware layer 206 and a software layerdivided into a user space 202 and a kernel space 204.

Hardware layer 206 provides the hardware elements upon which programsand services within kernel space 204 and user space 202 are executed.Hardware layer 206 also provides the structures and elements which allowprograms and services within kernel space 204 and user space 202 tocommunicate data both internally and externally with respect toappliance 200. As shown in FIG. 2, the hardware layer 206 includes aprocessing unit 262 for executing software programs and services, amemory 264 for storing software and data, network ports 266 fortransmitting and receiving data over a network, and an encryptionprocessor 260 for performing functions related to Secure Sockets Layerprocessing of data transmitted and received over the network. In someembodiments, the central processing unit 262 may perform the functionsof the encryption processor 260 in a single processor. Additionally, thehardware layer 206 may comprise multiple processors for each of theprocessing unit 262 and the encryption processor 260. The processor 262may include any of the processors 101 described above in connection withFIGS. 1C and 1D. In some embodiments, the central processing unit 262may perform the functions of the encryption processor 260 in a singleprocessor. Additionally, the hardware layer 206 may comprise multipleprocessors for each of the processing unit 262 and the encryptionprocessor 260. For example, in one embodiment, the appliance 200comprises a first processor 262 and a second processor 262′. In otherembodiments, the processor 262 or 262′ comprises a multi-core processor.

Although the hardware layer 206 of appliance 200 is generallyillustrated with an encryption processor 260, processor 260 may be aprocessor for performing functions related to any encryption protocol,such as the Secure Socket Layer (SSL) or Transport Layer Security (TLS)protocol. In some embodiments, the processor 260 may be a generalpurpose processor (GPP), and in further embodiments, may be haveexecutable instructions for performing processing of any securityrelated protocol.

Although the hardware layer 206 of appliance 200 is illustrated withcertain elements in FIG. 2, the hardware portions or components ofappliance 200 may comprise any type and form of elements, hardware orsoftware, of a computing device, such as the computing device 100illustrated and discussed herein in conjunction with FIGS. 1C and 1D. Insome embodiments, the appliance 200 may comprise a server, gateway,router, switch, bridge or other type of computing or network device, andhave any hardware and/or software elements associated therewith.

The operating system of appliance 200 allocates, manages, or otherwisesegregates the available system memory into kernel space 204 and userspace 204. In example software architecture 200, the operating systemmay be any type and/or form of Unix operating system although theinvention is not so limited. As such, the appliance 200 can be runningany operating system such as any of the versions of the Microsoft®Windows operating systems, the different releases of the Unix and Linuxoperating systems, any version of the Mac OS® for Macintosh computers,any embedded operating system, any network operating system, anyreal-time operating system, any open source operating system, anyproprietary operating system, any operating systems for mobile computingdevices or network devices, or any other operating system capable ofrunning on the appliance 200 and performing the operations describedherein.

The kernel space 204 is reserved for running the kernel 230, includingany device drivers, kernel extensions or other kernel related software.As known to those skilled in the art, the kernel 230 is the core of theoperating system, and provides access, control, and management ofresources and hardware-related elements of the application 104. Inaccordance with an embodiment of the appliance 200, the kernel space 204also includes a number of network services or processes working inconjunction with a cache manager 232. sometimes also referred to as theintegrated cache, the benefits of which are described in detail furtherherein. Additionally, the embodiment of the kernel 230 will depend onthe embodiment of the operating system installed, configured, orotherwise used by the device 200.

In one embodiment, the device 200 comprises one network stack 267, suchas a TCP/IP based stack, for communicating with the client 102 and/orthe server 106. In one embodiment, the network stack 267 is used tocommunicate with a first network, such as network 108, and a secondnetwork 110. In some embodiments, the device 200 terminates a firsttransport layer connection, such as a TCP connection of a client 102,and establishes a second transport layer connection to a server 106 foruse by the client 102, e.g., the second transport layer connection isterminated at the appliance 200 and the server 106. The first and secondtransport layer connections may be established via a single networkstack 267. In other embodiments, the device 200 may comprise multiplenetwork stacks, for example 267 and 267′, and the first transport layerconnection may be established or terminated at one network stack 267,and the second transport layer connection on the second network stack267′. For example, one network stack may be for receiving andtransmitting network packet on a first network, and another networkstack for receiving and transmitting network packets on a secondnetwork. In one embodiment, the network stack 267 comprises a buffer 243for queuing one or more network packets for transmission by theappliance 200.

As shown in FIG. 2, the kernel space 204 includes the cache manager 232,a high-speed layer 2-7 integrated packet engine 240, an encryptionengine 234, a policy engine 236 and multi-protocol compression logic238. Running these components or processes 232, 240, 234, 236 and 238 inkernel space 204 or kernel mode instead of the user space 202 improvesthe performance of each of these components, alone and in combination.Kernel operation means that these components or processes 232, 240, 234,236 and 238 run in the core address space of the operating system of thedevice 200. For example, running the encryption engine 234 in kernelmode improves encryption performance by moving encryption and decryptionoperations to the kernel, thereby reducing the number of transitionsbetween the memory space or a kernel thread in kernel mode and thememory space or a thread in user mode. For example, data obtained inkernel mode may not need to be passed or copied to a process or threadrunning in user mode, such as from a kernel level data structure to auser level data structure. In another aspect, the number of contextswitches between kernel mode and user mode are also reduced.Additionally, synchronization of and communications between any of thecomponents or processes 232, 240, 235, 236 and 238 can be performed moreefficiently in the kernel space 204.

In some embodiments, any portion of the components 232, 240, 234, 236and 238 may run or operate in the kernel space 204, while other portionsof these components 232, 240, 234, 236 and 238 may run or operate inuser space 202. In one embodiment, the appliance 200 uses a kernel-leveldata structure providing access to any portion of one or more networkpackets, for example, a network packet comprising a request from aclient 102 or a response from a server 106. In some embodiments, thekernel-level data structure may be obtained by the packet engine 240 viaa transport layer driver interface or filter to the network stack 267.The kernel-level data structure may comprise any interface and/or dataaccessible via the kernel space 204 related to the network stack 267,network traffic or packets received or transmitted by the network stack267. In other embodiments, the kernel-level data structure may be usedby any of the components or processes 232, 240, 234, 236 and 238 toperform the desired operation of the component or process. In oneembodiment, a component 232, 240, 234, 236 and 238 is running in kernelmode 204 when using the kernel-level data structure, while in anotherembodiment, the component 232, 240, 234, 236 and 238 is running in usermode when using the kernel-level data structure. In some embodiments,the kernel-level data structure may be copied or passed to a secondkernel-level data structure, or any desired user-level data structure.

The cache manager 232 may comprise software, hardware or any combinationof software and hardware to provide cache access, control and managementof any type and form of content, such as objects or dynamicallygenerated objects served by the originating servers 106. The data,objects or content processed and stored by the cache manager 232 maycomprise data in any format, such as a markup language, or communicatedvia any protocol. In some embodiments, the cache manager 232 duplicatesoriginal data stored elsewhere or data previously computed, generated ortransmitted, in which the original data may require longer access timeto fetch, compute or otherwise obtain relative to reading a cache memoryelement. Once the data is stored in the cache memory element, future usecan be made by accessing the cached copy rather than refetching orrecomputing the original data, thereby reducing the access time. In someembodiments, the cache memory element nat comprise a data object inmemory 264 of device 200. In other embodiments, the cache memory elementmay comprise memory having a faster access time than memory 264. Inanother embodiment, the cache memory element may comprise any type andform of storage element of the device 200, such as a portion of a harddisk. In some embodiments, the processing unit 262 may provide cachememory for use by the cache manager 232. In yet further embodiments, thecache manager 232 may use any portion and combination of memory,storage, or the processing unit for caching data, objects, and othercontent.

Furthermore, the cache manager 232 includes any logic, functions, rules,or operations to perform any embodiments of the techniques of theappliance 200 described herein. For example, the cache manager 232includes logic or functionality to invalidate objects based on theexpiration of an invalidation time period or upon receipt of aninvalidation command from a client 102 or server 106. In someembodiments, the cache manager 232 may operate as a program, service,process or task executing in the kernel space 204, and in otherembodiments, in the user space 202. In one embodiment, a first portionof the cache manager 232 executes in the user space 202 while a secondportion executes in the kernel space 204. In some embodiments, the cachemanager 232 can comprise any type of general purpose processor (GPP), orany other type of integrated circuit, such as a Field Programmable GateArray (FPGA), Programmable Logic Device (PLD), or Application SpecificIntegrated Circuit (ASIC).

The policy engine 236 may include, for example, an intelligentstatistical engine or other programmable application(s). In oneembodiment, the policy engine 236 provides a configuration mechanism toallow a user to identifying, specify, define or configure a cachingpolicy. Policy engine 236, in some embodiments, also has access tomemory to support data structures such as lookup tables or hash tablesto enable user-selected caching policy decisions. In other embodiments,the policy engine 236 may comprise any logic, rules, functions oroperations to determine and provide access, control and management ofobjects, data or content being cached by the appliance 200 in additionto access, control and management of security, network traffic, networkaccess, compression or any other function or operation performed by theappliance 200. Further examples of specific caching policies are furtherdescribed herein.

The encryption engine 234 comprises any logic, business rules, functionsor operations for handling the processing of any security relatedprotocol, such as SSL or TLS, or any function related thereto. Forexample, the encryption engine 234 encrypts and decrypts networkpackets, or any portion thereof, communicated via the appliance 200. Theencryption engine 234 may also setup or establish SSL or TLS connectionson behalf of the client 102 a-102 n, server 106 a-106 n, or appliance200. As such, the encryption engine 234 provides offloading andacceleration of SSL processing. In one embodiment, the encryption engine234 uses a tunneling protocol to provide a virtual private networkbetween a client 102 a-102 n and a server 106 a-106 n. In someembodiments, the encryption engine 234 is in communication with theEncryption processor 260. In other embodiments, the encryption engine234 comprises executable instructions running on the Encryptionprocessor 260.

The multi-protocol compression engine 238 comprises any logic, businessrules, function or operations for compressing one or more protocols of anetwork packet, such as any of the protocols used by the network stack267 of the device 200. In one embodiment, multi-protocol compressionengine 238 compresses bi-directionally between clients 102 a-102 n andservers 106 a-106 n any TCP/IP based protocol, including MessagingApplication Programming Interface (MAPI) (email), File Transfer Protocol(FTP), HyperText Transfer Protocol (HTTP), Common Internet File System(CIFS) protocol (file transfer), Independent Computing Architecture(ICA) protocol, Remote Desktop Protocol (RDP), Wireless ApplicationProtocol (WAP), Mobile IP protocol, and Voice Over IP (VoIP) protocol.In other embodiments, multi-protocol compression engine 238 providescompression of Hypertext Markup Language (HTML) based protocols and insome embodiments, provides compression of any markup languages, such asthe Extensible Markup Language (XML). In one embodiment, themulti-protocol compression engine 238 provides compression of anyhigh-performance protocol, such as any protocol designed for appliance200 to appliance 200 communications. In another embodiment, themulti-protocol compression engine 238 compresses any payload of or anycommunication using a modified transport control protocol, such asTransaction TCP (T/TCP), TCP with selection acknowledgements (TCP-SACK),TCP with large windows (TCP-LW), a congestion prediction protocol suchas the TCP-Vegas protocol, and a TCP spoofing protocol.

As such, the multi-protocol compression engine 238 acceleratesperformance for users accessing applications via desktop clients, e.g.,Microsoft Outlook and non-Web thin clients, such as any client launchedby popular enterprise applications like Oracle, SAP and Siebel, and evenmobile clients, such as the Pocket PC. In some embodiments, themulti-protocol compression engine 238 by executing in the kernel mode204 and integrating with packet processing engine 240 accessing thenetwork stack 267 is able to compress any of the protocols carried bythe TCP/IP protocol, such as any application layer protocol.

High speed layer 2-7 integrated packet engine 240, also generallyreferred to as a packet processing engine or packet engine, isresponsible for managing the kernel-level processing of packets receivedand transmitted by appliance 200 via network ports 266. The high speedlayer 2-7 integrated packet engine 240 may comprise a buffer for queuingone or more network packets during processing, such as for receipt of anetwork packet or transmission of a network packer. Additionally, thehigh speed layer 2-7 integrated packet engine 240 is in communicationwith one or more network stacks 267 to send and receive network packetsvia network ports 266. The high speed layer 2-7 integrated packet engine240 works in conjunction with encryption engine 234, cache manager 232,policy engine 236 and multi-protocol compression logic 238. Inparticular, encryption engine 234 is configured to perform SSLprocessing of packets, policy engine 236 is configured to performfunctions related to traffic management such as request-level contentswitching and request-level cache redirection, and multi-protocolcompression logic 238 is configured to perform functions related tocompression and decompression of data.

The high speed layer 2-7 integrated packet engine 240 includes a packetprocessing timer 242. In one embodiment, the packet processing timer 242provides one or more time intervals to trigger the processing ofincoming, i.e., received, or outgoing, i.e., transmitted, networkpackets. In some embodiments, the high speed layer 2-7 integrated packetengine 240 processes network packets responsive to the timer 242. Thepacket processing timer 242 provides any type and form of signal to thepacket engine 240 to notify, trigger, or communicate a time relatedevent, interval or occurrence. In many embodiments, the packetprocessing timer 242 operates in the order of milliseconds, such as forexample 100 ms, 50 ms or 25 ms. For example, in some embodiments, thepacket processing timer 242 provides time intervals or otherwise causesa network packet to be processed by the high speed layer 2-7 integratedpacket engine 240 at a 10 ms time interval, while in other embodiments,at a 5 ms time interval, and still yet in further embodiments, as shortas a 3, 2, or 1 ms time interval. The high speed layer 2-7 integratedpacket engine 240 may be interfaced, integrated or in communication withthe encryption engine 234, cache manager 232, policy engine 236 andmulti-protocol compression engine 238 during operation. As such, any ofthe logic, functions, or operations of the encryption engine 234, cachemanager 232, policy engine 236 and multi-protocol compression logic 238may be performed responsive to the packet processing timer 242 and/orthe packet engine 240. Therefore, any of the logic, functions, oroperations of the encryption engine 234, cache manager 232, policyengine 236 and multi-protocol compression logic 238 may be performed atthe granularity of time intervals provided via the packet processingtimer 242, for example, at a time interval of less than or equal to 10ms. For example, in one embodiment, the cache manager 232 may performinvalidation of any cached objects responsive to the high speed layer2-7 integrated packet engine 240 and/or the packet processing timer 242.In another embodiment, the expiry or invalidation time of a cachedobject can be set to the same order of granularity as the time intervalof the packet processing timer 242, such as at every 10 ms.

In contrast to kernel space 204, user space 202 is the memory area orportion of the operating system used by user mode applications orprograms otherwise running in user mode. A user mode application may notaccess kernel space 204 directly and uses service calls in order toaccess kernel services. As shown in FIG. 2, user space 202 of appliance200 includes a graphical user interface (GUI) 210, a command lineinterface (CLI) 212, shell services 214, health monitoring program 216,and daemon services 218. GUI 210 and CLI 212 provide a means by which asystem administrator or other user can interact with and control theoperation of appliance 200, such as via the operating system of theappliance 200 and either is user space 202 or kernel space 204. The GUI210 may be any type and form of graphical user interface and may bepresented via text, graphical or otherwise, by any type of program orapplication, such as a browser. The CLI 212 may be any type and form ofcommand line or text-based interface, such as a command line provided bythe operating system. For example, the CLI 212 may comprise a shell,which is a tool to enable users to interact with the operating system.In some embodiments, the CLI 212 may be provided via a bash, csh, tcsh,or ksh type shell. The shell services 214 comprises the programs,services, tasks, processes or executable instructions to supportinteraction with the appliance 200 or operating system by a user via theGUI 210 and/or CLI 212.

Health monitoring program 216 is used to monitor, check, report andensure that network systems are functioning properly and that users arereceiving requested content over a network. Health monitoring program216 comprises one or more programs, services, tasks, processes orexecutable instructions to provide logic, rules, functions or operationsfor monitoring any activity of the appliance 200. In some embodiments,the health monitoring program 216 intercepts and inspects any networktraffic passed via the appliance 200. In other embodiments, the healthmonitoring program 216 interfaces by any suitable means and/ormechanisms with one or more of the following: the encryption engine 234,cache manager 232, policy engine 236, multi-protocol compression logic238, packet engine 240, daemon services 218, and shell services 214. Assuch, the health monitoring program 216 may call any applicationprogramming interface (API) to determine a state, status, or health ofany portion of the appliance 200. For example, the health monitoringprogram 216 may ping or send a status inquiry on a periodic basis tocheck if a program, process, service or task is active and currentlyrunning. In another example, the health monitoring program 216 may checkany status, error or history logs provided by any program, process,service or task to determine any condition, status or error with anyportion of the appliance 200.

Daemon services 218 are programs that run continuously or in thebackground and handle periodic service requests received by appliance200. In some embodiments, a daemon service may forward the requests toother programs or processes, such as another daemon service 218 asappropriate. As known to those skilled in the art, a daemon service 218may run unattended to perform continuous or periodic system widefunctions, such as network control, or to perform any desired task. Insome embodiments, one or more daemon services 218 run in the user space202, while in other embodiments, one or more daemon services 218 run inthe kernel space.

Referring now to FIG. 2B, another embodiment of the appliance 200 isdepicted. In brief overview, the appliance 200 provides one or more ofthe following services, functionality or operations: SSL VPNconnectivity 280, switching/load balancing 284, Domain Name Serviceresolution 286, acceleration 288 and an application firewall 290 forcommunications between one or more clients 102 and one or more servers106. In one embodiment, the appliance 200 comprises any of the networkdevices manufactured by Citrix Systems, Inc. of Ft. Lauderdale Fla.,referred to as Citrix NetScaler devices. Each of the servers 106 mayprovide one or more network related services 270 a-270 n (referred to asservices 270). For example, a server 106 may provide an http service270. The appliance 200 comprises one or more virtual servers or virtualinternet protocol servers, referred to as a vServer, VIP server, or justVIP 275 a-275 n (also referred herein as vServer 275). The vServer 275receives, intercepts or otherwise processes communications between aclient 102 and a server 106 in accordance with the configuration andoperations of the appliance 200.

The vServer 275 may comprise software, hardware or any combination ofsoftware and hardware. The vServer 275 may comprise any type and form ofprogram, service, task, process or executable instructions operating inuser mode 202, kernel mode 204 or any combination thereof in theappliance 200. The vServer 275 includes any logic, functions, rules, oroperations to perform any embodiments of the techniques describedherein, such as SSL VPN 280, switching/load balancing 284, Domain NameService resolution 286, acceleration 288 and an application firewall290. In some embodiments, the vServer 275 establishes a connection to aservice 270 of a server 106. The service 275 may comprise any program,application, process, task or set of executable instructions capable ofconnecting to and communicating to the appliance 200, client 102 orvServer 275. For example, the service 275 may comprise a web server,http server, ftp, email or database server. In some embodiments, theservice 270 is a daemon process or network driver for listening,receiving and/or sending communications for an application, such asemail, database or an enterprise application. In some embodiments, theservice 270 may communicate on a specific IP address, or IP address andport.

In some embodiments, the vServer 275 applies one or more policies of thepolicy engine 236 to network communications between the client 102 andserver 106. In one embodiment, the policies are associated with aVServer 275. In another embodiment, the policies are based on a user, ora group of users. In yet another embodiment, a policy is global andapplies to one or more vServers 275 a-275 n, and any user or group ofusers communicating via the appliance 200. In some embodiments, thepolicies of the policy engine have conditions upon which the policy isapplied based on any content of the communication, such as internetprotocol address, port, protocol type, header or fields in a packet, orthe context of the communication, such as user, group of the user,vServer 275, transport layer connection, and/or identification orattributes of the client 102 or server 106.

In other embodiments, the appliance 200 communicates or interfaces withthe policy engine 236 to determine authentication and/or authorizationof a remote user or a remote client 102 to access the computingenvironment 15, application, and/or data file from a server 106. Inanother embodiment, the appliance 200 communicates or interfaces withthe policy engine 236 to determine authentication and/or authorizationof a remote user or a remote client 102 to have the application deliverysystem 190 deliver one or more of the computing environment 15,application, and/or data file. In yet another embodiment, the appliance200 establishes a VPN or SSL VPN connection based on the policy engine's236 authentication and/or authorization of a remote user or a remoteclient 103 In one embodiment, the appliance 102 controls the flow ofnetwork traffic and communication sessions based on policies of thepolicy engine 236. For example, the appliance 200 may control the accessto a computing environment 15, application or data file based on thepolicy engine 236.

In some embodiments, the vServer 275 establishes a transport layerconnection, such as a TCP (Transport Control Protocol) or UDP (UserDatagram Protocol) connection with a client 102 via the client agent120. In one embodiment, the vServer 275 listens for and receivescommunications from the client 102. In other embodiments, the vServer275 establishes a transport layer connection, such as a TCP or UDPconnection with a client server 106. In one embodiment, the vServer 275establishes the transport layer connection to an internet protocoladdress and port of a server 270 running on the server 106. In anotherembodiment, the vServer 275 associates a first transport layerconnection to a client 102 with a second transport layer connection tothe server 106. In some embodiments, a vServer 275 establishes a pool oftransport layer connections to a server 106 and multiplexes clientrequests via the pooled transport layer connections.

In some embodiments, the appliance 200 provides a SSL VPN connection 280between a client 102 and a server 106. For example, a client 102 on afirst network 102 requests to establish a connection to a server 106 ona second network 104′. In some embodiments, the second network 104′ isnot routable from the first network 104. In other embodiments, theclient 102 is on a public network 104 and the server 106 is on a privatenetwork 104′, such as a corporate network. In one embodiment, the clientagent 120 intercepts communications of the client 102 on the firstnetwork 104, encrypts the communications, and transmits thecommunications via a first transport layer connection to the appliance200. The appliance 200 associates the first transport layer connectionon the first network 104 to a second transport layer connection to theserver 106 on the second network 104. The appliance 200 receives theintercepted communication from the client agent 120, decrypts thecommunications, and transmits the communication to the server 106 on thesecond network 104 via the second transport layer connection. The secondtransport layer connection may be a pooled transport layer connection.As such, the appliance 200 provides an end-to-end secure transport layerconnection for the client 102 between the two networks 104, 104′.

In one embodiment, the appliance 200 hosts an intranet internet protocolor intranetIP 282 address of the client 102 on the virtual privatenetwork 104. The client 102 has a local network identifier, such as aninternet protocol (IP) address and/or host name on the first network104. When connected to the second network 104′ via the appliance 200,the appliance 200 establishes, assigns or otherwise provides anIntranetIP, which is a network identifier, such as IP address and/orhost name, for the client 102 on the second network 104′. The appliance200 listens for and receives on the second or private network 104′ forany communications directed towards the client 102 using the client'sestablished IntranetIP 282. In one embodiment, the appliance 200 acts asor on behalf of the client 102 on the second private network 104. Forexample, in another embodiment, a vServer 275 listens for and respondsto communications to the IntranetIP 282 of the client 102. In someembodiments, if a computing device 100 on the second network 104′transmits a request, the appliance 200 processes the request as if itwere the client 102. For example, the appliance 200 may respond to aping to the client's IntranetIP 282. In another example, the appliancemay establish a connection, such as a TCP or UDP connection, withcomputing device 100 on the second network 104 requesting a connectionwith the client's IntranetIP 282.

In some embodiments, the appliance 200 provides one or more of thefollowing acceleration techniques 288 to communications between theclient 102 and server 106: 1) compression; 2) decompression; 3)Transmission Control Protocol pooling; 4) Transmission Control Protocolmultiplexing; 5) Transmission Control Protocol buffering; and 6)caching. In one embodiment, the appliance 200 relieves servers 106 ofmuch of the processing load caused by repeatedly opening and closingtransport layers connections to clients 102 by opening one or moretransport layer connections with each server 106 and maintaining theseconnections to allow repeated data accesses by clients via the Internet.This technique is referred to herein as “connection pooling”.

In some embodiments, in order to seamlessly splice communications from aclient 102 to a server 106 via a pooled transport layer connection, theappliance 200 translates or multiplexes communications by modifyingsequence number and acknowledgment numbers at the transport layerprotocol level. This is referred to as “connection multiplexing”. Insome embodiments, no application layer protocol interaction is required.For example, in the case of an in-bound packet (that is, a packetreceived from a client 102), the source network address of the packet ischanged to that of an output port of appliance 200, and the destinationnetwork address is changed to that of the intended server. In the caseof an outbound packet (that is, one received from a server 106), thesource network address is changed from that of the server 106 to that ofan output port of appliance 200 and the destination address is changedfrom that of appliance 200 to that of the requesting client 102. Thesequence numbers and acknowledgment numbers of the packet are alsotranslated to sequence numbers and acknowledgement expected by theclient 102 on the appliance's 200 transport layer connection to theclient 102. In some embodiments, the packet checksum of the transportlayer protocol is recalculated to account for these translations.

In another embodiment, the appliance 200 provides switching orload-balancing functionality 284 for communications between the client102 and server 106. In some embodiments, the appliance 200 distributestraffic and directs client requests to a server 106 based on layer 4 orapplication-layer request data. In one embodiment, although the networklayer or layer 2 of the network packet identifies a destination server106, the appliance 200 determines the server 106 to distribute thenetwork packet by application information and data carried as payload ofthe transport layer packet. In one embodiment, the health monitoringprograms 216 of the appliance 200 monitor the health of servers todetermine the server 106 for which to distribute a client's request. Insome embodiments, if the appliance 200 detects a server 106 is notavailable or has a load over a predetermined threshold, the appliance200 can direct or distribute client requests to another server 106.

In some embodiments, the appliance 200 acts as a Domain Name Service(DNS) resolver or otherwise provides resolution of a DNS request fromclients 102. In some embodiments, the appliance intercepts' a DNSrequest transmitted by the client 102. In one embodiment, the appliance200 responds to a client's DNS request with an IP address of or hostedby the appliance 200. In this embodiment, the client 102 transmitsnetwork communication for the domain name to the appliance 200. Inanother embodiment, the appliance 200 responds to a client's DNS requestwith an IP address of or hosted by a second appliance 200′. In someembodiments, the appliance 200 responds to a client's DNS request withan IP address of a server 106 determined by the appliance 200.

In yet another embodiment, the appliance 200 provides applicationfirewall functionality 290 for communications between the client 102 andserver 106. In one embodiment, the policy engine 236 provides rules fordetecting and blocking illegitimate requests. In some embodiments, theapplication firewall 290 protects against denial of service (DoS)attacks. In other embodiments, the appliance inspects the content ofintercepted requests to identify and block application-based attacks. Insome embodiments, the rules/policy engine 236 comprises one or moreapplication firewall or security control policies for providingprotections against various classes and types of web or Internet basedvulnerabilities, such as one or more of the following: 1) bufferoverflow, 2) CGI-BIN parameter manipulation, 3) form/hidden fieldmanipulation, 4) forceful browsing, 5) cookie or session poisoning, 6)broken access control list (ACLs) or weak passwords, 7) cross-sitescripting (XSS), 8) command injection, 9) SQL injection, 10) errortriggering sensitive information leak, 11) insecure use of cryptography,12) server misconfiguration, 13) back doors and debug options, 14)website defacement, 15) platform or operating systems vulnerabilities,and 16) zero-day exploits. In an embodiment, the application firewall290 provides HTML form field protection in the form of inspecting oranalyzing the network communication for one or more of the following: 1)required fields are returned, 2) no added field allowed, 3) read-onlyand hidden field enforcement, 4) drop-down list and radio button fieldconformance, and 5) form-field max-length enforcement. In someembodiments, the application firewall 290 ensures cookies are notmodified. In other embodiments, the application firewall 290 protectsagainst forceful browsing by enforcing legal URLs.

In still yet other embodiments, the application firewall 290 protectsany confidential information contained in the network communication. Theapplication firewall 290 may inspect or analyze any networkcommunication in accordance with the rules or polices of the engine 236to identify any confidential information in any field of the networkpacket. In some embodiments, the application firewall 290 identifies inthe network communication one or more occurrences of a credit cardnumber, password, social security number, name, patient code, contactinformation, and age. The encoded portion of the network communicationmay comprise these occurrences or the confidential information. Based onthese occurrences, in one embodiment, the application firewall 290 maytake a policy action on the network communication, such as preventtransmission of the network communication. In another embodiment, theapplication firewall 290 may rewrite, remove or otherwise mask suchidentified occurrence or confidential information.

C. Client Agent

Referring now to FIG. 3, an embodiment of the client agent 120 isdepicted. The client 102 includes a client agent 120 for establishingand exchanging communications with the appliance 200 and/or server 106via a network 104. In brief overview, the client 102 operates oncomputing device 100 having an operating system with a kernel mode 302and a user mode 303, and a network stack 310 with one or more layers 310a-310 b. The client 102 may have installed and/or execute one or moreapplications. In some embodiments, one or more applications maycommunicate via the network stack 310 to a network 104. One of theapplications, such as a web browser, may also include a first program322. For example, the first program 322 may be used in some embodimentsto install and/or execute the client agent 120, or any portion thereof.The client agent 120 includes an interception mechanism, or interceptor350, for intercepting network communications from the network stack 310from the one or more applications.

The network stack 310 of the client 102 may comprise any type and formof software, or hardware, or any combinations thereof, for providingconnectivity to and communications with a network. In one embodiment,the network stack 310 comprises a software implementation for a networkprotocol suite. The network stack 310 may comprise one or more networklayers, such as any networks layers of the Open Systems Interconnection(OSI) communications model as those skilled in the art recognize andappreciate. As such, the network stack 310 may comprise any type andform of protocols for any of the following layers of the OSI model: 1)physical link layer, 2) data link layer, 3) network layer, 4) transportlayer, 5) session layer, 6) presentation layer, and 7) applicationlayer. In one embodiment, the network stack 310 may comprise a transportcontrol protocol (TCP) over the network layer protocol of the internetprotocol (IP), generally referred to as TCP/IP. In some embodiments, theTCP/IP protocol may be carried over the Ethernet protocol, which maycomprise any of the family of IEEE wide-area-network (WAN) orlocal-area-network (LAN) protocols, such as those protocols covered bythe IEEE 802.3. In some embodiments, the network stack 310 comprises anytype and form of a wireless protocol, such as IEEE 802.11 and/or mobileinternet protocol.

In view of a TCP/IP based network, any TCP/IP based protocol may beused, including Messaging Application Programming Interface (MAPI)(email), File Transfer Protocol (FTP), HyperText Transfer Protocol(HTTP), Common Internet File System (CIFS) protocol (file transfer),Independent Computing Architecture (ICA) protocol, Remote DesktopProtocol (RDP), Wireless Application Protocol (WAP), Mobile IP protocol,and Voice Over IP (VoIP) protocol. In another embodiment, the networkstack 310 comprises any type and form of transport control protocol,such as a modified transport control protocol, for example a TransactionTCP (T/TCP), TCP with selection acknowledgements (TCP-SACK), TCP withlarge windows (TCP-LW), a congestion prediction protocol such as theTCP-Vegas protocol, and a TCP spoofing protocol. In other embodiments,any type and form of user datagram protocol (UDP), such as UDP over IP,may be used by the network stack 310, such as for voice communicationsor real-time data communications.

Furthermore, the network stack 310 may include one or more networkdrivers supporting the one or more layers, such as a TCP driver or anetwork layer driver. The network drivers may be included as part of theoperating system of the computing device 100 or as part of any networkinterface cards or other network access components of the computingdevice 100. In some embodiments, any of the network drivers of thenetwork stack 310 may be customized, modified or adapted to provide acustom or modified portion of the network stack 310 in support of any ofthe techniques described herein. In other embodiments, the accelerationprogram 120 is designed and constructed to operate with or work inconjunction with the network stack 310 installed or otherwise providedby the operating system of the client 102.

The network stack 310 comprises any type and form of interfaces forreceiving, obtaining, providing or otherwise accessing any informationand data related to network communications of the client 102. In oneembodiment, an interface to the network stack 310 comprises anapplication programming interface (API). The interface may also compriseany function call, hooking or filtering mechanism, event or call backmechanism, or any type of interfacing technique. The network stack 310via the interface may receive or provide any type and form of datastructure, such as an object, related to functionality or operation ofthe network stack 310. For example, the data structure may compriseinformation and data related to a network packet or one or more networkpackets. In some embodiments, the data structure comprises a portion ofthe network packet processed at a protocol layer of the network stack310, such as a network packet of the transport layer. In someembodiments, the data structure 325 comprises a kernel-level datastructure, while in other embodiments, the data structure 325 comprisesa user-mode data structure. A kernel-level data structure may comprise adata structure obtained or related to a portion of the network stack 310operating in kernel-mode 302, or a network driver or other softwarerunning in kernel-mode 302, or any data structure obtained or receivedby a service, process, task, thread or other executable instructionsrunning or operating in kernel-mode of the operating system.

Additionally, some portions of the network stack 310 may execute oroperate in kernel-mode 302, for example, the data link or network layer,while other portions execute or operate in user-mode 303, such as anapplication layer of the network stack 310. For example, a first portion310 a of the network stack may provide user-mode access to the networkstack 310 to an application while a second portion 310 a of the networkstack 310 provides access to a network. In some embodiments, a firstportion 310 a of the network stack may comprise one or more upper layersof the network stack 310, such as any of layers 5-7. In otherembodiments, a second portion 310 b of the network stack 310 comprisesone or more lower layers, such as any of layers 1-4. Each of the firstportion 310 a and second portion 310 b of the network stack 310 maycomprise any portion of the network stack 310, at any one or morenetwork layers, in user-mode 203, kernel-mode, 202, or combinationsthereof, or at any portion of a network layer or interface point to anetwork layer or any portion of or interface point to the user-mode 203and kernel-mode 203.

The interceptor 350 may comprise software, hardware, or any combinationof software and hardware. In one embodiment, the interceptor 350intercept a network communication at any point in the network stack 310,and redirects or transmits the network communication to a destinationdesired, managed or controlled by the interceptor 350 or client agent120. For example, the interceptor 350 may intercept a networkcommunication of a network stack 310 of a first network and transmit thenetwork communication to the appliance 200 for transmission on a secondnetwork 104. In some embodiments, the interceptor 350 comprises any typeinterceptor 350 comprises a driver, such as a network driver constructedand designed to interface and work with the network stack 310. In someembodiments, the client agent 120 and/or interceptor 350 operates at oneor more layers of the network stack 310, such as at the transport layer.In one embodiment, the interceptor 350 comprises a filter driver,hooking mechanism, or any form and type of suitable network driverinterface that interfaces to the transport layer of the network stack,such as via the transport driver interface (TDI). In some embodiments,the interceptor 350 interfaces to a first protocol layer, such as thetransport layer and another protocol layer, such as any layer above thetransport protocol layer, for example, an application protocol layer. Inone embodiment, the interceptor 350 may comprise a driver complying withthe Network Driver Interface Specification (NDIS), or a NDIS driver. Inanother embodiment, the interceptor 350 may comprise a mini-filter or amini-port driver. In one embodiment, the interceptor 350, or portionthereof, operates in kernel-mode 202. In another embodiment, theinterceptor 350, or portion thereof, operates in user-mode 203. In someembodiments, a portion of the interceptor 350 operates in kernel-mode202 while another portion of the interceptor 350 operates in user-mode203. In other embodiments, the client agent 120 operates in user-mode203 but interfaces via the interceptor 350 to a kernel-mode driver,process, service, task or portion of the operating system, such as toobtain a kernel-level data structure 225. In further embodiments, theinterceptor 350 is a user-mode application or program, such asapplication.

In one embodiment, the interceptor 350 intercepts any transport layerconnection requests. In these embodiments, the interceptor 350 executetransport layer application programming interface (API) calls to set thedestination information, such as destination IP address and/or port to adesired location for the location. In this manner, the interceptor 350intercepts and redirects the transport layer connection to a IP addressand port controlled or managed by the interceptor 350 or client agent120. In one embodiment, the interceptor 350 sets the destinationinformation for the connection to a local IP address and port of theclient 102 on which the client agent 120 is listening. For example, theclient agent 120 may comprise a proxy service listening on a local IPaddress and port for redirected transport layer communications. In someembodiments, the client agent 120 then communicates the redirectedtransport layer communication to the appliance 200.

In some embodiments, the interceptor 350 intercepts a Domain NameService (DNS) request. In one embodiment, the client agent 120 and/orinterceptor 350 resolves the DNS request. In another embodiment, theinterceptor transmits the intercepted DNS request to the appliance 200for DNS resolution. In one embodiment, the appliance 200 resolves theDNS request and communicates the DNS response to the client agent 120.In some embodiments, the appliance 200 resolves the DNS request viaanother appliance 200′ or a DNS server 106.

In yet another embodiment, the client agent 120 may comprise two agents120 and 120′. In one embodiment, a first agent 120 may comprise aninterceptor 350 operating at the network layer of the network stack 310.In some embodiments, the first agent 120 intercepts network layerrequests such as Internet Control Message Protocol (ICMP) requests(e.g., ping and traceroute). In other embodiments, the second agent 120′may operate at the transport layer and intercept transport layercommunications. In some embodiments, the first agent 120 interceptscommunications at one layer of the network stack 210 and interfaces withor communicates the intercepted communication to the second agent 120′.

The client agent 120 and/or interceptor 350 may operate at or interfacewith a protocol layer in a manner transparent to any other protocollayer of the network stack 310. For example, in one embodiment, theinterceptor 350 operates or interfaces with the transport layer of thenetwork stack 310 transparently to any protocol layer below thetransport layer, such as the network layer, and any protocol layer abovethe transport layer, such as the session, presentation or applicationlayer protocols. This allows the other protocol layers of the networkstack 310 to operate as desired and without modification for using theinterceptor 350. As such, the client agent 120 and/or interceptor 350can interface with the transport layer to secure, optimize, accelerate,route or load-balance any communications provided via any protocolcarried by the transport layer, such as any application layer protocolover TCP/IP.

Furthermore, the client agent 120 and/or interceptor may operate at orinterface with the network stack 310 in a manner transparent to anyapplication, a user of the client 102, and any other computing device,such as a server, in communications with the client 102. The clientagent 120 and/or interceptor 350 may be installed and/or executed on theclient 102 in a manner without modification of an application. In someembodiments, the user of the client 102 or a computing device incommunications with the client 102 are not aware of the existence,execution or operation of the client agent 120 and/or interceptor 350.As such, in some embodiments, the client agent 120 and/or interceptor350 is installed, executed, and/or operated transparently to anapplication, user of the client 102, another computing device, such as aserver, or any of the protocol layers above and/or below the protocollayer interfaced to by the interceptor 350.

The client agent 120 includes an acceleration program 302, a streamingclient 306, and/or a collection agent 304. In one embodiment, the clientagent 120 comprises an Independent Computing Architecture (ICA) client,or any portion thereof, developed by Citrix Systems, Inc. of FortLauderdale, Fla., and is also referred to as an ICA client. In someembodiments, the client 120 comprises an application streaming client306 for streaming an application from a server 106 to a client 102. Insome embodiments, the client agent 120 comprises an acceleration program302 for accelerating communications between client 102 and server 106.In another embodiment, the client agent 120 includes a collection agent304 for performing end-point detection/scanning and collecting end-pointinformation for the appliance 200 and/or server 106.

In some embodiments, the acceleration program 302 comprises aclient-side acceleration program for performing one or more accelerationtechniques to accelerate, enhance or otherwise improve a client'scommunications with and/or access to a server 106, such as accessing anapplication provided by a server 106. The logic, functions, and/oroperations of the executable instructions of the acceleration program302 may perform one or more of the following acceleration techniques: 1)multi-protocol compression, 2) transport control protocol pooling, 3)transport control protocol multiplexing, 4) transport control protocolbuffering, and 5) caching via a cache manager. Additionally, theacceleration program 302 may perform encryption and/or decryption of anycommunications received and/or transmitted by the client 102. In someembodiments, the acceleration program 302 performs one or more of theacceleration techniques in an integrated manner or fashion.Additionally, the acceleration program 302 can perform compression onany of the protocols, or multiple-protocols, carried as a payload of anetwork packet of the transport layer protocol.

The streaming client 306 comprises an application, program, process,service, task or executable instructions for receiving and executing astreamed application from a server 106. A server 106 may stream one ormore application data files to the streaming client 306 for playing,executing or otherwise causing to be executed the application on theclient 102. In some embodiments, the server 106 transmits a set ofcompressed or packaged application data files to the streaming client306. In some embodiments, the plurality of application files arecompressed and stored on a file server within an archive file such as aCAB, ZIP, SIT, TAR, JAR or other archive. In one embodiment, the server106 decompresses, unpackages or unarchives the application files andtransmits the files to the client 102. In another embodiment, the client102 decompresses, unpackages or unarchives the application files. Thestreaming client 306 dynamically installs the application, or portionthereof, and executes the application. In one embodiment, the streamingclient 306 may be an executable program. In some embodiments, thestreaming client 306 may be able to launch another executable program.

The collection agent 304 comprises an application, program, process,service, task or executable instructions for identifying, obtainingand/or collecting information about the client 102. In some embodiments,the appliance 200 transmits the collection agent 304 to the client 102or client agent 120. The collection agent 304 may be configuredaccording to one or more policies of the policy engine 236 of theappliance. In other embodiments, the collection agent 304 transmitscollected information on the client 102 to the appliance 200. In oneembodiment, the policy engine 236 of the appliance 200 uses thecollected information to determine and provide access, authenticationand authorization control of the client's connection to a network 104.

In one embodiment, the collection agent 304 comprises an end-pointdetection and scanning mechanism, which identifies and determines one ormore attributes or characteristics of the client. For example, thecollection agent 304 may identify and determine any one or more of thefollowing client-side attributes: 1) the operating system an/or aversion of an operating system, 2) a service pack of the operatingsystem, 3) a running service, 4) a running process, and 5) a file. Thecollection agent 304 may also identify and determine the presence orversions of any one or more of the following on the client: 1) antivirussoftware, 2) personal firewall software, 3) anti-spam software, and 4)internet security software. The policy engine 236 may have one or morepolicies based on any one or more of the attributes or characteristicsof the client or client-side attributes.

In some embodiments and still referring to FIG. 3, a first program 322may be used to install and/or execute the client agent 120, or portionthereof, such as the interceptor 350, automatically, silently,transparently, or otherwise. In one embodiment, the first program 322comprises a plugin component, such an ActiveX control or Java control orscript that is loaded into and executed by an application. For example,the first program comprises an ActiveX control loaded and run by a webbrowser application, such as in the memory space or context of theapplication. In another embodiment, the first program 322 comprises aset of executable instructions loaded into and run by the application,such as a browser. In one embodiment, the first program 322 comprises adesigned and constructed program to install the client agent 120. Insome embodiments, the first program 322 obtains, downloads, or receivesthe client agent 120 via the network from another computing device. Inanother embodiment, the first program 322 is an installer program or aplug and play manager for installing programs, such as network drivers,on the operating system of the client 102.

Communication between a program neighborhood-enabled client 102 and aserver 106 or appliance 200 may occur over a dedicated virtual channelthat is established on top of an ICA virtual channel. In someembodiments, the communication occurs using an XML service. In otherembodiments, the client 102 runs a client-side dialog that acquires thecredentials of a user of the client 102. In still other embodiments, auser management subsystem on a server 106 receiving the credentials ofthe user may return a set of distinguished names representing the listof accounts to which the user belongs. Upon authentication, the server106 may establish a program neighborhood virtual channel, a controlchannel, or other communications channel. In yet other embodiments, anacceleration program 302 may also be transmitted to the client 102 inresponse to a client 102 request.

In some embodiments, a client 102 may use the client agent 120 to browsefarm 38, servers 106 and applications in the farm 38. In one embodiment,each server 106 includes an ICA browsing subsystem to provide the client102 with browsing capability. After the client 102 establishes aconnection with the ICA browser subsystem of any of the servers 106,that browser subsystem supports a variety of client 102 requests. Suchrequests include: (1) enumerating names of servers in the farm, (2)enumerating names of applications published in the farm, (3) resolving aserver name and/or application name to a server address that is usefulto the client 102. The ICA browser subsystem also supports requests madeby clients 102 running a program neighborhood application that providesthe client 102, upon request, with a view of those applications withinthe farm 38 for which the user is authorized. The ICA browser subsystemforwards all of the above-mentioned client requests to the appropriatesubsystem in the server 106.

In one embodiment, a user of the client 102 selects an application forexecution from a received enumeration of available applications. Inanother embodiment, the user selects an application for executionindependent of the received enumeration. In some embodiments, the userselects an application for execution by selecting a graphicalrepresentation of the application presented on the client 102 by aclient agent 120. In other embodiments, the user selects an applicationfor execution by selecting a graphical representation of the applicationpresented to the user on a web server or other server 106. In someembodiments, an appliance 200 or acceleration program 302 acceleratesdelivery of the graphical representation. In some embodiments, anappliance 200 caches or stores the graphical representation. In someembodiments an appliance 200 may cache or store any and all of theassociated applications or portions of the associated applications.

In some embodiments, when a client 102 connects to the network 104, theuser of the client 102 provides user credentials. User credentials mayinclude the username of a user of the client 102, the password of theuser, and the domain name for which the user is authorized.Alternatively, the user credentials may be obtained from smart cards,time-based tokens, social security numbers, user passwords, personalidentification (PIN) numbers, digital certificates based on symmetrickey or elliptic curve cryptography, biometric characteristics of theuser, or any other means by which the identification of the user of theclient 102 can be obtained and submitted for authentication. The server106 or appliance 200 responding to the client 102 can authenticate theuser based on the user credentials.

In some embodiments, the client 102 provides credentials upon making arequest for execution of an application to a server 106, directly orthrough an appliance 200. In one of these embodiments, the client 102requests access to an application residing on a server 106. In anotherof these embodiments, the client 102 requests access to a network onwhich a desired resource resides. In other embodiments, the client 102provides credentials upon making a request for a connection to anappliance 200. In one of these embodiments, the client 102 requestsaccess to a virtual private network. In another of these embodiments,the client 102 requests a network address on the virtual privatenetwork. In still another of these embodiments, the client 102 initiatesa connection to the appliance 200.

In some embodiments, the user provides credentials to the server 106 orappliance 200 via a graphical user interface presented to the client 102by the server 106 or appliance 200. In other embodiments, a server 106or appliance 200 having the functionality of a web server provides thegraphical user interface to the client 102. In still other embodiments,a collection agent transmitted to the client 102 by the server 106 orappliance 200 gathers the credentials from the client 102.

In one embodiment, a credential refers to a username and password. Inanother embodiment, a credential is not limited to a username andpassword but includes, without limitation, a machine ID of the client102, operating system type, existence of a patch to an operating system,MAC addresses of installed network cards, a digital watermark on theclient device, membership in an Active Directory, existence of a virusscanner, existence of a personal firewall, an HTTP header, browser type,device type, network connection information such as internet protocoladdress or range of addresses, machine ID of the server 106 or appliance200, date or time of access request including adjustments for varyingtime zones, and authorization credentials.

In some embodiments, a credential associated with a client 102 isassociated with a user of the client 102. In one of these embodiments,the credential is information possessed by the user. In another of theseembodiments, the credential is user authentication information. In otherembodiments, a credential associated with a client is associated with anetwork. In one of these embodiments, the credential is informationassociated with a network to which the client may connect. In another ofthese embodiments, the credential is information associated with anetwork collecting information about the client. In still otherembodiments, a credential associated with a client is a characteristicof the client.

In some embodiments, the user authentication performed by the server 106or appliance 200 may suffice to authorize the use of each hostedapplication program presented to the client 102, although suchapplications may reside at another server 106′. Accordingly, when theclient 102 launches (i.e., initiates execution of) one of the hostedapplications, additional input of user credentials by the client 102 maybe unnecessary to authenticate use of that application. Thus, a singleentry of the user credentials may serve to determine the availableapplications and to authorize the launching of such applications withoutan additional, manual log-on authentication process by the user.

In one embodiment, an appliance 200 receives a request for access to aresource from a client 102. In another embodiment, the appliance 200receives a request for access to a virtual private network. In stillanother embodiment, the appliance 200 makes a determination as towhether to grant access and what level of access to grant. In yetanother embodiment, the appliance 200 makes a determination as to whattype of connection to establish when providing the client with access tothe application.

In some embodiments, decisions regarding whether and how to grant a useraccess to a requested resource are made responsive to determinations bya policy engine regarding whether and how a client 102 may access anapplication. In one of these embodiments, a decision regarding a levelof access is made responsive to a policy engine determination. Inanother of these embodiments, a decision regarding a type of access ismade responsive to a policy engine determination. In still another ofthese embodiments, a decision regarding a type of connection is maderesponsive to a policy engine determination. The policy engine maycollect information about the client 102 prior to making thedetermination. In some embodiments, the policy engine resides on theappliance 200. In other embodiments, the appliance 200 is incommunication with a police engine residing on a server 106.

D. IIP Addressing Environment

Referring now to FIG. 4, an embodiment of an environment for providingIntranet Internet Protocol (IIP) addresses to users and/or clients isdepicted. The IIP addressing environment provided by the appliance 200and/or client 102 may be used for: 1) assigning, based on policy,temporal and/or status information, an IIP address 282 to a user from aplurality of IIP addresses designated to the user for accessing anetwork via the appliance, 2) providing an IIP address 282 assigned tothe user to an application on a client requesting resolution of theinternet protocol address of the client 102, and 3) providing amechanism to determine the IIP address 282 assigned to the user via aconfigurable user domain name associated with the user's IIP address282.

In brief overview, the appliance 200 provides an IIP pool 410 of IIPaddresses 282A-282N to be assigned and/or used by one or more users. TheIIP pool 410 may include a pool 412 of free or unassigned IIP addresses,i.e. a free pool 413, a pool 414 of IIP addresses that may be reclaimed,i.e., a reclaim pool 414, and/or a pool 416 of IIP addresses that may beassigned via transfer, i.e., a transfer pool 416, such as via thetransfer of a session 445, e.g., a SSL VPN session provided by theappliance 200. In some embodiments, if an IIP address 282 is notavailable from the IIP pool 410, then a mapped IP (MIP) 440 may be usedto provide a client or a user an IIP address 282. For mapped IP, theappliance 200 intercepts an incoming client's IP and replaces it with aMIP address. Any servers sitting behind the appliance 200 see a MIPinstead of a the client's actual IP address in the IP header field oftraffic directed to them.

A set of one or more IIP addresses 282A-282N may be designated for orassociated with a user. In one embodiment, the appliance 200 via an IIPpolicy 420 provides a user with an IIP address from a plurality of IIPaddresses 282A-282N designated for the user. For example, the IIP policy420 may indicate to provide the user with the most recently used IIPaddress 282 of the user. The appliance 200 includes a database or table450 for maintaining an association of IIP addresses 286 to entities,such as users.

In additional overview, the appliance 200 provides a mechanism forquerying the IIP address 282 assigned to and/or used by the user. Theappliance 200 may be configured with a user domain name policy 430specifying a domain suffix 435 to associate with an identifier of theuser. For example, the domain name policy 430 may indicate to append thedomain suffix “mycompany.com” 435 to a user identifier, such as the userid of the user when logged into the appliance 200 or network 104′. As aresult, in some embodiments, the appliance 200 associates the userdomain name 437 of <user id>.<domain suffix>, e.g.,“userA.mycompany.com” with the IIP address assigned to the user. Theappliance 200 may store in the domain name service (DNS) 286, or DNScache the user domain name 437 in association with the IIP address 282.The appliance 200 can resolve any DNS queries or ping commands based onthe user domain name 437 by providing the associated IIP address 232.

In further overview, the client agent 120 provides a mechanism by whichthe IIP address 282 is provided to an application. The client agent 120includes an interception or hooking mechanism 350 for intercepting anyapplication programming interface (API) calls of the application relatedto determining or resolving the internet protocol address of the client102, such as for example, gethostbyname. Instead of providing theinternet protocol address of the client 102 identified in the networkstack 310, e.g., the IP address of the client on network 104, the clientagent 120 provides the IIP address 282 assigned to the user via theappliance 200, such as the IIP address 282 of the client 102 or user ofthe client 102 on the second network 104′ connected from the client 102on a first network 104 via a SSL VPN connection of the appliance.

In more detail, the appliance 200 provides an IIP address 282 to a useror the client of the user. In one embodiment, the IIP address 282 is theinternet protocol address of the user, or the client used by the user,for communications on the network 104′ accessed via the appliance 200.For example, the user may communicate on a first network 104 via anetwork stack 310 of a client 102 that provides an internet protocol(IP) address for the first network 104, such as for example,200.100.10.1. From client 102 on the first network 104, the user mayestablish a connection, such as an SSL VPN connection, with a secondnetwork 104′ via the appliance 200. The appliance 200 provides an IIPaddress 282 for the second network 104′ to the client and/or user, suchas 192.10.1.1. Although the client 102 has an IP address on the firstnetwork 104 (e.g., 200.100.10.1), the user and/or client has an IIPaddress 282 or second network IP address (e.g., 192.10.1.1) forcommunications on the second network 104′. In one embodiment, the IIPaddress 282 is the internet protocol address assigned to the client 102on the VPN, or SSL VPN, connected network 104′. In another embodiment,the appliance 200 provides or acts as a DNS 286 for clients 102communicating via the appliance 200. In some embodiments, the appliance200 assigns or leases internet protocol addresses, referred to as IIPaddresses 282, to client's requesting an internet protocol address, suchas dynamically via Dynamic Host Configuration Protocol (DHCP).

The appliance 200 may provide the IIP address 282 from an IIP pool 410of one or more IIP addresses 282A-282N. In some embodiments, theappliance 200 obtains a pool of internet protocol addresses on network104′ from a server 106 to use for the IIP pool 410. In one embodiment,the appliance 200 obtains an IIP address pool 410, or portion thereof,from a DNS server 406, such as one provided via server 106. In anotherembodiment, the appliance 200 obtains an IIP address pool 410, orportion thereof, from a Remote Authentication Dial In User Service,RADIUS, server 408, such as one provided via server 106. In yet anotherembodiment, the appliance 200 acts as a DNS server 286 or provides DNSfunctionally 286 for network 104′. For example, a vServer 275 may beconfigured as a DNS 286. In these embodiments, the appliance 200 obtainsor provides an IIP pool from the appliance provided DNS 286.

The appliance 200 may designate, assign or allocate IIP addresses forany of the following entities: 1) user, 2) group, 3) vServer, and d)global. In some embodiments, the IIP pool 410 may be designated or usedfor assigning IIP addresses 286 to users. In other embodiments, IIP pool410 may include IIP addresses 286 to be assigned to or used by servicesof the appliance 200, such as vServers 275. In other embodiments, IIPpool 410 may include IIP addresses 286 to be assigned to or used byglobal or group entities of the appliance 200. In one embodiment, theIIP pool 410 may comprise a single pool of IIP addresses. In anotherembodiment, the IIP pool 410 may comprise multiple pools or sub-pools ofIIP addresses. In some embodiments, the IIP pool 410 comprises a freeIIP pool 412. In other embodiments, the IIP pool 410 comprises areclaimed IIP pool 414. In yet another embodiment, the IIP pool 410comprises a transfer IIP pool 416. In some embodiments, the IIP pool 410comprises any combination of a free IIP pool 412, a reclaimed IIP pool414 and/or a transfer IIP pool 416. In one embodiment, the free IIP pool413 comprises IP addresses which are available for usage. In someembodiments, the reclaimed IIP pool 414 comprises IP addresses which areassociated with an entity, such as a user, group or vServer, but areinactive and available for usage. In other embodiments, the transfer IIPpool 416 comprises IP addresses that are active but can be madeavailable through a transfer login or transfer session process.

In some embodiments, the appliance 200 may list or enumerate internetprotocol addresses used for IIP addresses in the IIP pool 410, or insome embodiments, any of the sub-pools 412, 414, 416, in an order orpriority. In some embodiments, the appliance 200 enumerates or lists theIIP addresses of a pool according to the following scheme: 1) user, 2)group, 3) vServer, and d) global. In one embodiment, the appliance 200provides an IIP address from an IIP pool 410 for assignment based on theorder or priority. For example, the appliance 200 may try to obtain afree IIP address from the user associated IP free pool 412 first. If anIIP address is not available from the user portion of the pool, theappliance 200 may then try to obtain a free IIP address from the groupportion of the pool 412, and so on, via the vServer and global portionsof the pool until an IIP address can be assigned. Likewise, theappliance 200 may prioritize the sub-pools 412, 414, and 416, in anyorder or combination, to search for IIP addresses to assign. Forexample, the appliance 200 may first search the free IIP pool 412, thenthe reclaimed IIP pool 416 and then the transfer IIP pool 416 for IIPaddresses.

The appliance 200 may comprise any type and form of database or table450 for associating, tracking, managing or maintaining the designation,allocation and/or assignment of IIP addresses to a 1) user, 2) group, 3)vServer, and/or d) global entities from the IIP pool 410. In oneembodiment, the appliance 200 implements an Internet Protocol LightWeight Database Table (IPLWDB) 450. In some embodiments, the IPLWDB 450maintains entries which provide a one-to-one mapping of an IP addresswith or to an entity. In another embodiment, once an entity uses or isassigned an IIP address 282, the IPLWDB maintains the associationbetween the entity and IIP address, which may be referred to as “IIPstickiness” or having the IIP address “stuck” to an entity. In oneembodiment, IIP stickiness refers to the ability or effectiveness of theappliance 200 to maintain or hold the association between the entity andthe IIP address. In some embodiments, IIP stickiness refers to theability or effectiveness of the appliance 200 to maintain the entity/IIPaddress relationship or assignment via any changes in the system, suchas a user logging in and out of the appliance, or changing accesspoints. In some embodiments, the IPLWDB 450 comprises a hash table,which is hashed based on any one or more of the 1) user, 2) group, 3)vServer, and/or d) global entities. The IPLWDB 450 may comprise a hashof the user and any other information associated with the user, such asclient 102, or network 104 of client 104.

The IPLWDB 450 may track, manage or maintain any status and temporalinformation related to the IIP address/entity relationship. In oneembodiment, the IPLWDB 450 maintains if the IIP address for the entityis currently active or inactive. For example, in some embodiments, theIPLWDB 450 identifies an IIP address 282 as active if it is currentlyused in an SSL VPN session via the appliance 200. In another embodiment,the IPLWDB 450 maintains temporal data for the IIP address use by theentity: such as when first used, when last used, how long has been used,and when most recently used. In other embodiments, the IPLWDB 450maintains information on the type or source of usage, such as, in thecase of user, what client 102 or network 104 used from, or for whattransactions or activities were performed using the assigned IIPaddress.

In some embodiments, the IPLWDB 450 tracks, manages and maintainsmultiple IIP addresses used by an entity. The IPLWDB 450 may use one ormore IIP policies 420 for determining which IIP address of a pluralityof IIP addresses to assign or provide to an entity, such as a user. Inone embodiment, the IIP policy 420 may specify to provide for assignmentthe most recently or last used IIP address of the user. In someembodiments, the IIP policy 420 may specify to provide for assignmentthe most used IIP address of the user. In other embodiments, the IIPpolicy 420 may specify to provide the least used IIP address of theuser. In another embodiment, the IIP policy 420 may specify the order orpriority for which to provide IP addresses of the user, for example,from the most recent to least recent. In yet another embodiment, the IIPpolicy 420 may specify which IIP pool 410 or sub-pool 412, 414, 416 touse, and/or in which order. In some embodiments, the IIP policy 420 mayspecify whether or not to use a mapped IP address, and under whatconditions, such as when an inactive IIP address of the user is notavailable. In other embodiments, the IIP policy 420 may specify whetheror not to transfer a session or login of the user, and under whatconditions.

In some embodiments, the appliance 200 can be configured to bind or makethe association of one or more IIP addresses 282 to an entity, such as auser. For example, in some embodiments, the associations in IPLWDB 450are updated or maintained via bind and unbind commands via the appliance200. In one embodiment, the following command can be issued to theappliance 200 via a command line interface (CLI) 212 or GUI 210:

bind aaa user <user-name> [-intranetip <ip_addr>] [<netmask>]For example, if an administrator of the appliance 200 intends toassociate the IIP addresses 282 of 10.102,4,189, 10.102.4.1 and10.102.4.2 with a user “nsroot”, then the administrator may issue thefollowing commands:

bind aaa user nsroot -intranetip 10.102.4.189 255.255.255.255 bind aaauser nsroot -intranetip 10.102.4.0 255 255.255.255.252In one embodiment, the netmask value provides a mechanism for assigninga range of IIP addresses to a user. In some embodiments, the netmaskvalue is optional and the default is 255.255.255.255. For example, thefollowing commands are equivalent:

bind aaa user nsroot -intranetip 10.102.4.189 bind aaa user nsroot-intranetip 10.102.4.189 255.255.255.255Likewise, the administrator 200 or other user may disassociate an IIPaddress with an entity, such as a user, via an unbind command. In someembodiments, the unbind command may have similar format as the bindcommand. In one embodiment, if the IIP address is active, the bind orunbind command will not be processed. In other embodiments, if the IIPaddress is active, the appliance transmits a reset (RST) command to allthe client and server connections associated with the active session,and then proceeds to make any changes associated with the issued bind orunbind command. In another embodiment, the appliance 200 updates theassociated client and server connections with any updated IIP addressinformation. In one embodiment, the appliance 200 re-establishes theassociated client and server connections with the changed IIP address.

In some embodiments, the appliance 200 provides a mechanism and/ortechnique for determining the IIP address 282 of a user. In oneembodiment, the appliance 200 is configured via a user domain namepolicy 430, which provides information on specifying a user domain 437.In one embodiment, the user domain policy 430 specifies a domain suffix435 to be used in forming the user domain 437. For example, the userdomain policy 430, in some embodiments, may be specified by thefollowing command:

add vpn sessionaction <name> [-httpPort <port>...] [-winsIP <ip_addr>]... .... [-homepage <URL>] [-iipdnssuffix <string>]In one embodiment, the iipdnssuffix 435 specifies a string, such as adomain name, that will be appended to the user id/name to form a userdomain name 437. The user id may be the login name of the user, an aliasor nickname of the user, or any user identification associated with theuser's profile. In one embodiment, the domain suffix 435 identifies thedomain name of the network 104 or network 104′. In other embodiments,the domain suffix 435 may comprise a domain name or host name of theappliance 200. In yet other embodiments, the domain suffix 435 may beany desired, predetermined or custom string for identifying the userdomain name 437.

In the case of a user having multiple IIP addresses 282 activeconcurrently, the user domain name policy 430 may specify an instanceidentifier or any other character or symbol to differentiate between afirst instance and a second instance of a VPN session of the user. Forexample, the policy 430 may specify to include a number after the userid, such as <userid><Instance Number> or <userid>_<#>. In otherembodiments, the policy 430 specifies to only associate or provide asingle user domain name 437 for a user. For example, in one embodiment,the user domain name 437 is associated with the first session. In otherembodiments, the user domain name 437 is associated with the most recentsession.

Although the user domain policy 430 is described as providing a domainsuffix 435 to a user identifier to form the user domain name 437, theuser domain policy 430 may specify any portion of the user domain name437. For the example, the user domain policy 430 may specify the formatfor the user identifier or which type of user id to use, such as anidentified portion of the user's profile. In some embodiments, bydefault, the domain suffix 435 may be the same domain name as thenetwork 104. In another embodiment, the user domain policy 430 mayspecify a format for or additions or modifications to the domain name ofthe network 104 in providing the user domain name 437.

When a user logs in and gets assigned an IIP address 282, the appliance200 stores a record associating the user id/name, or user domain name437, and IIP address 282. In some embodiments, the appliance 200 storesthe record in DNS 286, or a DNS cache, on the appliance 200. In anotherembodiment, the appliance 200 stores the record in a DNS 406 on server106. In other embodiments, the appliance 200 stores the record in theIPLWDB 450. The appliance 200 can query a DNS with the user domain name437 and obtain the assigned IIP address 286. A user logged into theappliance 200 via SSL VPN get the IIP address of another user by usingDNS instead of having to remember the IP address. For example, a user onclient 102 can ping the IIP address of another user. The client agent120 can intercept such requests and query the DNS 286 of the appliance200 to determine the IIP address 282 assigned the user domain name. Insome embodiments, without logging into the appliance 200 via SSLVPN, aclient can query the IIP address 282 of a user by sending a DNS queryrequest to the DNS 286 of the appliance 200.

In some embodiments, the client agent 120 provide an interception orhooking mechanism 350 for intercepting any requests for the local IPaddress of the client 102, and returning or replying with an IIP address282, such as the IIP address 282 assigned to the user. In someembodiments, the hooking mechanism 350 may include any of the mechanismsof the interceptor 350 described above in conjunction with FIG. 3. Inother embodiments, the hooking mechanism 350 may include any type andform of hooking mechanism 350, such as application level hook procedureor function. In one embodiment and by way of example, the hookingmechanism 350 comprises any of the Windows API calls for setting aapplication hooking procedure, such as via the SetWindowsHookEx APIcall. In some embodiments, the SetWindowsHookEx function installs anapplication-defined hook procedure into a hook chain.

Depending on the operating system of the client 102, the client agent120 may use the corresponding APIs of the OS to install, add, modify oruse a hook procedure 350 to hook or intercept messages of anapplication. A hook procedure 350 may be installed to monitor the systemfor certain types of events, which are associated either with a specificthread or with all threads in the same space as the calling thread. Inone embodiment, a hook, such as hooking mechanism 350, is a point in thesystem message-handling mechanism where an application, such as theclient agent 120, can install a subroutine to monitor the messagetraffic in the system and process certain types of messages before themessages reach the target processing function. In some embodiments, thehooking mechanism 350 may intercept or hook any of the followingfunction calls or messages of an application: gethostbyname,getaddrinfo, and getsockname. In other embodiments, the hookingmechanism 350 may hook any of the Windows Socket API extensions such asWSAIoctl, WSALookupServiceBegin, WSALookupServiceNext, andWSALookupServiceEnd.

In one embodiment, the client agent 120 transmits a request to theappliance 200 to determine the IIP address 282 of the host nameintercepted by the hooking mechanism 350. In some embodiments, theappliance 200 looks up the corresponding IIP address 282 of the hostname of the client 102 in a DNS, such as DNS 286 on appliance 200 or DNS406 on a server. In other embodiments, the client agent 120 uses theuser domain name 437 of the user associated with the application to pingor DNS query the IIP address 282. In some embodiments, the client agent120 transmits the local IP address of the client 102 and the appliance200 queries the corresponding IIP address 282. In one embodiment, theappliance 200 stores the name of the client 102 in association with theuser and/or IIP address in the IPLWDB 450. In other embodiments, theclient agent 120 has cached the IIP address of the user or client 102,and thus, does not need to query the appliance 200. For example, uponestablishment of a SSL VPN connection, the appliance 200 may transmitthe IIP address 282 to the client 102. With the hooking mechanism 350,instead of providing the client's local IP address (the client's addresson the first network 104), the client agent 120 provides the IIP address282 of the client (the client's or user's address on the second network104′).

In some embodiments, the hooking mechanism 350 of the client agent 120is used to return the IIP address for supporting the transparent andseamless use of online collaboration tools via SSL VPN connections. Inone embodiment, the application is a NetMeeting application manufacturedby the Microsoft Corporation of Redmond, Wash. In some embodiments, anyof the applications 230 may comprise any type of hosted service orproducts, such as GoToMeeting™ provided by Citrix Online Division, Inc.of Santa Barbara, Calif., WebEX™ provided by WebEx, Inc. of Santa Clara,Calif., or Microsoft Office LiveMeeting provided by MicrosoftCorporation of Redmond, Wash. With the hooking mechanism 350 providingthe IIP address 282 assigned to the client via the SSL VPN connection,the application does not need to be modified to work as designed via theSSL VPN session. The hooking mechanism 350 provides the IIP address 282of the client 102 or user if the client 102 instead of the local IPaddress when making a request to get the IP address of the client 102.

Communication between a program neighborhood-enabled client 102 and aserver 106 or appliance 200 may occur over a dedicated virtual channelthat is established on top of an ICA virtual channel. In someembodiments, the communication occurs using an XML service. In otherembodiments, the client 102 runs a client-side dialog that acquires thecredentials of a user of the client 102. In still other embodiments, auser management subsystem on a server 106 receiving the credentials ofthe user may return a set of distinguished names representing the listof accounts to which the user belongs. Upon authentication, the server106 may establish a program neighborhood virtual channel, a controlchannel, or other communications channel. In yet other embodiments, anacceleration program 302 may also be transmitted to the client 102 inresponse to a client 102 request.

In some embodiments, a client 102 may use the client agent 120 to browsefarm 38, servers 106 and applications in the farm 38. In one embodiment,each server 106 includes an ICA browsing subsystem to provide the client102 with browsing capability. After the client 102 establishes aconnection with the ICA browser subsystem of any of the servers 106,that browser subsystem supports a variety of client 102 requests. Suchrequests include: (1) enumerating names of servers in the farm, (2)enumerating names of applications published in the farm, (3) resolving aserver name and/or application name to a server address that is usefulto the client 102. The ICA browser subsystem also supports requests madeby clients 102 running a program neighborhood application that providesthe client 102, upon request, with a view of those applications withinthe farm 38 for which the user is authorized. The ICA browser subsystemforwards all of the above-mentioned client requests to the appropriatesubsystem in the server 106.

In one embodiment, a user of the client 102 selects an application forexecution from a received enumeration of available applications. Inanother embodiment, the user selects an application for executionindependent of the received enumeration. In some embodiments, the userselects an application for execution by selecting a graphicalrepresentation of the application presented on the client 102 by aclient agent 120. In other embodiments, the user selects an applicationfor execution by selecting a graphical representation of the applicationpresented to the user on a web server or other server 106. In someembodiments, an appliance 200 or acceleration program 302 acceleratesdelivery of the graphical representation. In some embodiments, anappliance 200 caches or stores the graphical representation. In someembodiments an appliance 200 may cache or store any and all of theassociated applications or portions of the associated applications.

In some embodiments, when a client 102 connects to the network 104, theuser of the client 102 provides user credentials. User credentials mayinclude the username of a user of the client 102, the password of theuser, and the domain name for which the user is authorized.Alternatively, the user credentials may be obtained from smart cards,time-based tokens, social security numbers, user passwords, personalidentification (PIN) numbers, digital certificates based on symmetrickey or elliptic curve cryptography, biometric characteristics of theuser, or any other means by which the identification of the user of theclient 102 can be obtained and submitted for authentication. The server106 or appliance 200 responding to the client 102 can authenticate theuser based on the user credentials.

In some embodiments, the client 102 provides credentials upon making arequest for execution of an application to a server 106, directly orthrough an appliance 200. In one of these embodiments, the client 102requests access to an application residing on a server 106. In anotherof these embodiments, the client 102 requests access to a network onwhich a desired resource resides. In other embodiments, the client 102provides credentials upon making a request for a connection to anappliance 200. In one of these embodiments, the client 102 requestsaccess to a virtual private network. In another of these embodiments,the client 102 requests a network address on the virtual privatenetwork. In still another of these embodiments, the client 102 initiatesa connection to the appliance 200.

In some embodiments, the user provides credentials to the server 106 orappliance 200 via a graphical user interface presented to the client 102by the server 106 or appliance 200. In other embodiments, a server 106or appliance 200 having the functionality of a web server provides thegraphical user interface to the client 102. In still other embodiments,a collection agent transmitted to the client 102 by the server 106 orappliance 200 gathers the credentials from the client 102.

In one embodiment, a credential refers to a username and password. Inanother embodiment, a credential is not limited to a username andpassword but includes, without limitation, a machine ID of the client102, operating system type, existence of a patch to an operating system,MAC addresses of installed network cards, a digital watermark on theclient device, membership in an Active Directory, existence of a virusscanner, existence of a personal firewall, an HTTP header, browser type,device type, network connection information such as internet protocoladdress or range of addresses, machine ID of the server 106 or appliance200, date or time of access request including adjustments for varyingtime zones, and authorization credentials.

In some embodiments, a credential associated with a client 102 isassociated with a user of the client 102. In one of these embodiments,the credential is information possessed by the user. In another of theseembodiments, the credential is user authentication information. In otherembodiments, a credential associated with a client is associated with anetwork. In one of these embodiments, the credential is informationassociated with a network to which the client may connect. In another ofthese embodiments, the credential is information associated with anetwork collecting information about the client. In still otherembodiments, a credential associated with a client is a characteristicof the client.

In some embodiments, the user authentication performed by the server 106or appliance 200 may suffice to authorize the use of each hostedapplication program presented to the client 102, although suchapplications may reside at another server 106′. Accordingly, when theclient 102 launches (i.e., initiates execution of) one of the hostedapplications, additional input of user credentials by the client 102 maybe unnecessary to authenticate use of that application. Thus, a singleentry of the user credentials may serve to determine the availableapplications and to authorize the launching of such applications withoutan additional, manual log-on authentication process by the user.

In one embodiment, an appliance 200 receives a request for access to aresource from a client 102. In another embodiment, the appliance 200receives a request for access to a virtual private network. In stillanother embodiment, the appliance 200 makes a determination as towhether to grant access and what level of access to grant. In yetanother embodiment, the appliance 200 makes a determination as to whattype of connection to establish when providing the client with access tothe application.

In some embodiments, decisions regarding whether and how to grant a useraccess to a requested resource are made responsive to determinations bya policy engine regarding whether and how a client 102 may access anapplication. In one of these embodiments, a decision regarding a levelof access is made responsive to a policy engine determination. Inanother of these embodiments, a decision regarding a type of access ismade responsive to a policy engine determination. In still another ofthese embodiments, a decision regarding a type of connection is maderesponsive to a policy engine determination. The policy engine maycollect information about the client 102 prior to making thedetermination. In some embodiments, the policy engine resides on theappliance 200. In other embodiments, the appliance 200 is incommunication with a police engine residing on a server 106.

E. IIP Address “Stickiness” to a User

Referring now to FIG. 5, an embodiment of steps of a method 500 forassigning an IIP address 282 to a user is depicted. In one embodiment,the method 500 is practiced to provide IIP address stickiness for auser. In some embodiments, an SSL VPN user may login and logout of theappliance 200 multiple times from different computers. For example, theuser may roam from computing device to computing device or switch fromone location to another. In some example, an SSL VPN user may be on amobile device and have the network connectivity disrupted causing thedevice to re-establish the SSL VPN connection. With the techniquesdepicted by method 500, the SSL VPN user may get assigned the same IIPaddress 282 for each of those sessions. In some embodiments, theappliance 200 may be configured with policies 420 specifying what IIPaddress 282 should be assigned to a user.

In brief overview of method 500, at step 505, the appliance 200designates a plurality of IIP address 282A-292N to a user, such as anSSL VPN user, from a pool 410 of IIP addresses. At step 510, theappliance 200 receives a request from a client 102 operated by the userto establish a connection via the appliance 200 to a network 104′, suchas an SSL VPN connection. At step 515, the appliance 200 assigns to theclient or the user an IIP address 282 on network 104′ from the IIPaddress pool 410. The appliance 200 may make the assignment based onpolicy 420, temporal information or the status of any of the designatedIIP addresses 282A-282N for the user. For example, in one embodiment,the appliance 200 assigns the most recently used IIP address 282 of theuser to the client 102. At step 525, in some embodiments, the appliance200 determines whether to provide a mapped IP or to transfer a session.For example, if an inactive IIP address 282 is not available forassigning to the user, the appliance 200 may opt to use a MIP address atstep 530 or to request the user to transfer an active session to thecurrent request at step 535.

In further detail, at step 505, the appliance 200 may designate orallocate any set of one or more IIP addresses 282A-282N for a user. Insome embodiments, the appliance 200 designates one IIP address 282. Inother embodiments, the appliance 200 designates up to a predeterminednumber of multiple IIP addresses 282A-282N for the user, such as 2, 3,4, 5, 6, 7, 9, 10, 15, 20 or 26 IIP addresses. In one embodiment, themultiple IIP addresses 282A-228N comprise a continuous range of IPaddresses on network 104′, for example, IP addresses 200.10.1.1 to200.20.1.10. In another embodiment, the multiple IIP addresses 282A-282Ncomprises any set of IP addresses on network 104′ that are notsubsequent to each other. In yet another embodiment, the multiple IIPaddresses 282A-282N are any combination of subsequent IP address rangesand single or separate IP addresses.

In one embodiment, the appliance 200 obtains a set of internet protocoladdresses from a DNS for the network 104′ accessed via the appliance200. For example, the appliance 200 may obtain a set of IP addresses forthe intranet from a DNS server 406 or a RADIUS server 508. In anotherexample, the appliance 200 may provide or act as a DNS 286 and allocatethe IP addresses for the intranet. In some embodiments, one or more IIPaddresses 282A-282N may be associated or designated with a user via abind or similar command issued at the CLI 212 or GUI 210 of theappliance 200. In other embodiments, the appliance 200 may obtain from aDNS IP addresses 282A-282N on network 104's that are associated with auser. In some embodiments, the appliance 200 designates a portion of thefree IIP pool 412 to the user. In other embodiments, the appliance 200may designate or reclaim a portion of the reclaim IIP pool 414 to theuser.

At step 510, the user via client 102 transmits a request to theappliance 200 to establish a connection to the network 104′. In someembodiments, the appliance 200 identifies the user from the request. Inother embodiments, the appliance 200 identifies the user from receipt oflogin or authentication credentials. For example, in some embodiments,the user submits a user id and password via a URL or web-page of theappliance 200. In one embodiment, the client agent 120 requests toestablish a tunnel connection with the appliance 200 using any type andform of tunneling protocol. In another embodiment, the client agent 120requests to establish a virtual private network connection via theappliance 200 to a network 104. For example, the client agent 120 mayestablish a virtual private network connection with the appliance 200 toconnect the client 102 on the first network 104 to a second network104′. In some embodiments, the client agent 120 establishes a SSL VPNconnection with the appliance 200. In yet another embodiment, the clientagent 120 establishes a tunnel or virtual private network connectionusing Transport Layer Secure (TLS) protocol. In one embodiment, theclient agent 120 requests to establish a tunnel connection using theCommon Gateway Protocol (CGP) manufactured by Citrix Systems, Inc. ofFt. Lauderdale, Fla.

At step 515, the appliance 200, in response to receiving the requestfrom the user or the client 102, assigns an IIP address 282 on thesecond network 104′ from the designated set of IIP addresses 282A-282Nof the user. In one embodiment, the appliance 200 determines the IIPaddress 282 to assign based on an IIP policy 420. For example, in someembodiments to maintain IIP stickiness, the appliance 200 via IIP policy420 determines the most recently used IIP address 282 of the user. Inother embodiments to maintain IIP stickiness, the appliance 200 viainformation tracked by the IPLWDB 450 determines the most used IIPaddress 282 of the user from the set of IIP addresses 282A-282N. In someembodiments, in the case of one or more active SSL VPN sessions, theappliance 200 determines the next most recently used or most used IIPaddress 282 of the user. In yet other embodiments, the appliance 200determines an appropriate, desired or policy-driven IIP address 282 toassign the user from the designated set of user IIP addresses 282A-282Nby any combination of policy 435, status of sessions associated with theuser's IIP addresses 282A-282N, and temporal information of sessionsassociated with the user's IIP addresses 282A-282N.

In one embodiment, the appliance 200 may use any sub-pool 412, 414 or416 of the IP pool 410 to assign an IIP address 282 to the user. In someembodiment, the free IIP pool 412 may not have an available IIP addressof the user. For example, all the IIP addresses of the user are markedas active or already assigned to a session. As such, in theseembodiments, the appliance 200 may search the reclaim IIP pool 414 forany IIP addresses of the user assigned but available to reclaim. Instill another embodiment, the appliance 200 may search the transfer IIPpool 416 for any IIP addresses of the user. In yet other embodiments,the appliance 200 may search any designated allocations or pools forgroup, global or vServer IIP addresses for an IP address that may bedesignated and assigned for the user or otherwise provided as a mappedIP address. In some embodiments, the appliance 200 searches portions ofthe IP pool 410 for IIP addresses of the user in an ordered orprioritized manner, such as the free IIP pool 412, first, the reclaimIIP pool 414, second and the transfer IIP pool 416 third. In oneembodiment, the search order or priority may be specified by a policy420.

In many embodiments, the appliance 200 provides a previously assignedIIP address 282 of the user from the free IIP pool 412 or the reclaimIIP pool 414. In some embodiments, the appliance 200 provides the userwith the most recently or last assigned IIP address to provide IIPstickiness. However, at step 525, in some embodiments, the appliance 200determines whether to provide a mapped IP 440 or a transfer session 445.In some embodiments, an IIP policy 420 specifies whether to use a mappedIP 440 or a transfer session 445 in cases of the appliance 200 notfinding an available IIP address 282 of the user from the free IIP pool412 and/or the reclaimed IIP pool 414. In other embodiments, an IIPpolicy 420 may specify to use a Mapped IP 440 in cases of the appliance200 not finding an inactive IIP address in any pool 410, or an availableIIP address in the free IIP pool 412. In one embodiment, if the IIPpolicy 420 specifies to use a Mapped IP 440 at step 525, then, at step530 provides a Mapped IP 440 instead of using an assigned IIP address272.

In the cases of using a Mapped IP 440, the appliance 200 modifies anypackets to and from the client 102 with an IIP address 282 of thenetwork 104′. For example, instead of assigning the user a userdesignated IIP address 282, the appliance 200 may use any available IIPaddress of the IIP pool 410, such as a globally available IIP address.The appliance 200 may modify the packets transmitted from the client 102to have this mapped IP 440 when transmitted from the appliance 200 to aserver 106. Also, in some embodiments, the appliance 200 may modifypackets transmitted from the server 106 to the client 102 to change theMapped IP 440 to the IP address of the client 102, such as the IPaddress of the client 102 on the first network 104. In some embodiments,the appliance 200 stores in the IPLWDB 450 the association of the mappedIP 440 to the user and/or client 102.

In another embodiment, if the IIP policy 420 specifies to use a transfersession 445 at step 525, then, at step 535, the appliance 200 initiatesa transfer of an active session of the user. In one embodiment, uponreceiving, by the appliance 200, a request from a first client operatedby a user to establish a VPN session, the appliance may create atemporary VPN session with the client. In some embodiments, theappliance 200 may refuse to accept any data received via the temporarysession until a new VPN session is created from temporary session. Inother embodiments, the temporary VPN session may be allocated lessresources by the appliance than would be allocated to a standard VPNsession. In another embodiment, a temporary VPN session may not beassigned an IIP address 282, or may otherwise be prevented fromreceiving data. In some embodiments, the appliance may identify a numberof properties associated with the existing session. In one embodiment,after identifying an existing session, the appliance 200 may transmit amessage to the user via the previously existing session indicating thecurrent session attempt.

In some embodiments, the appliance 200 may transmit to the client 102 ofthe user a request for information corresponding to whether to terminatethe previous session. In some embodiments, this request may comprise aweb page which accepts user input. For example, the web page maycomprise an enumerated list of existing sessions, with input means forthe user to a select one or more sessions to be terminated. In otherembodiments, this request may comprise a communication to a client agent120, which then may respond on behalf of the user. In some embodiments,this request may comprise a request for information corresponding towhether to terminate one or more of a plurality of previous sessions.

In one embodiment, the request may comprise information relating to anyof the properties of the existing session. In some embodiments, thisinformation may be displayed to the user along with the choice ofwhether to terminate the existing session. For example, a web page maybe displayed to the user stating “you have a previously existing sessionwhich was opened July 2nd at 10:30 am, do you wish to close?” In otherembodiments, this information may be transmitted to a client agent whichmay then make a determination whether to close a previously existingsession based on the properties of the previously existing session. Forexample, a client agent 120 executing on the client making the newsession request may determine to automatically terminate a previoussession in the event that no applications are currently associated withthe previous session.

In some embodiments, the request may also comprise a request forinformation relating to whether the user would like to transfer datafrom a previous session to a current session. For example, if a user wasremotely executing an application, the user may wish to resume theremote execution and the previous session or sessions associated withthe remote execution using the current session. After transmitting, fromthe appliance 200 to the client 102, a request for informationcorresponding to whether to terminate the previous session the appliancemay receive, from the client or the user, a response comprising anindication to terminate the previous session. In still otherembodiments, the appliance 200 may receive a response comprising arequest to transfer data associated with a previous session to thecurrent session. In these embodiments, the appliance 200 assigns the IIPaddress 282A of the previous session to the new session.

In the event the appliance 200 receives a response comprising anindication not to terminate the previous session, the appliance 200 mayrefuse to allow the user access, and terminate the temporary VPNsession. In these embodiments, the appliance 200 maintains theassociation of the IIP addresses 282 with the previous session and doesnot assign the IIP address to the new session. In other embodiments, theappliance 200 may create a new VPN session unrelated to any of theidentified previous sessions. In these embodiments, the appliance 200may assign an available IIP address from another entity, such as group,vServer or global or another user, to the new VPN session.

F. Client End-Point Detection and Authorization Via Client SecurityString

Referring now to FIG. 6A, one embodiment of a computer network isdepicted, which includes a client 102, a collection agent 304, a policyengine 235, a policy database 608, a server farm 38, and an applicationserver 106. In one embodiment, the policy engine 236 is a server 106.Although only one client 102, collection agent 304, policy engine 236,server farm 38, and application server 106 are depicted in theembodiment shown in FIG. 6A, it should be understood that the system mayprovide multiple ones of any or each of those components.

In brief overview, when the client 102 transmits a request 610 to thepolicy engine 236 for access to an application, the collection agent 304communicates with client 102, retrieving information about the client102, and transmits the client information 612 to the policy engine 236.The policy engine 236 makes an access control decision by applying apolicy from the policy database 608 to the received information 612.

In more detail, the client 102 transmits a request 610 for a resource tothe policy engine 236. In one embodiment, the policy engine 236 resideson an application server 106′. In another embodiment, the policy engine236 is a server 106. In still another embodiment, the policy engine 236resides on an appliance 200. In yet another embodiment, an applicationserver 106′ or an appliance 200 receives the request 610 from the client102 and transmits the request 610 to the policy engine 236. In a furtherembodiment, the client 102 transmits a request 610 for a resource to aserver 106, which transmits the request 610 to the policy engine 236.

Upon receiving the request, the policy engine 236 initiates informationgathering by the collection agent 304. The collection agent 304 gathersinformation regarding the client 102 and transmits the information 612to the policy engine 236.

In some embodiments, the collection agent 304 gathers and transmits theinformation 612 over a network connection. In some embodiments, thecollection agent 304 comprises bytecode, such as an application writtenin the bytecode programming language JAVA. In some embodiments, thecollection agent 304 comprises at least one script. In thoseembodiments, the collection agent 304 gathers information by running atleast one script on the client 102. In some embodiments, the collectionagent comprises an Active X control on the client 102. An Active Xcontrol is a specialized Component Object Model (COM) object thatimplements a set of interfaces that enable it to look and act like acontrol.

In one embodiment, the policy engine 236 transmits the collection agent304 to the client 102. In another embodiment, an appliance 200 may storeor cache the collection agent 304. The appliance 200 may then transmitthe collection agent to a client 102. In other embodiments, an appliance200 may intercept the transmission of a collection agent 304. In stillanother embodiment, an appliance 200 may accelerate the delivery of acollection agent 304. In one embodiment, the policy engine 236 requiresa second execution of the collection agent 304 after the collectionagent 304 has transmitted information 612 to the policy engine 236. Inthis embodiment, the policy engine 236 may have insufficient information612 to determine whether the client 102 satisfies a particularcondition. In other embodiments, the policy engine 236 requires aplurality of executions of the collection agent 304 in response toreceived information 612.

In some embodiments, the policy engine 236 transmits instructions to thecollection agent 304 determining the type of information the collectionagent 304 gathers. In those embodiments, a system administrator mayconfigure the instructions transmitted to the collection agent 304 fromthe policy engine 236. This provides greater control over the type ofinformation collected. This also expands the types of access controldecisions that the policy engine 236 can make, due to the greatercontrol over the type of information collected. The collection agent 304gathers information 612 including, without limitation, machine ID of theclient 102, operating system type, existence of a patch to an operatingsystem, MAC addresses of installed network cards, a digital watermark onthe client device, membership in an Active Directory, existence of avirus scanner, existence of a personal firewall, an HTTP header, browsertype, device type, network connection information such as internetprotocol address or range of addresses, machine ID of the server 106,date or time of access request including adjustments for varying timezones, and authorization credentials. In some embodiments, a collectionagent gathers information to determine whether an application can beaccelerated on the client using an acceleration program 302.

In some embodiments, the device type is a personal digital assistant. Inother embodiments, the device type is a cellular telephone. In otherembodiments, the device type is a laptop computer. In other embodiments,the device type is a desktop computer. In other embodiments, the devicetype is an Internet kiosk.

In some embodiments, the digital watermark includes data embedding. Insome embodiments, the watermark comprises a pattern of data insertedinto a file to provide source information about the file. In otherembodiments, the watermark comprises data hashing files to providetamper detection. In other embodiments, the watermark provides copyrightinformation about the file.

In some embodiments, the network connection information pertains tobandwidth capabilities. In other embodiments, the network connectioninformation pertains to Internet Protocol address. In still otherembodiments, the network connection information consists of an InternetProtocol address. In one embodiment, the network connection informationcomprises a network zone identifying the logon agent to which the client102 provided authentication credentials.

In some embodiments, the authorization credentials include a number oftypes of authentication information, including without limitation, usernames, client names, client addresses, passwords, PINs, voice samples,one-time passcodes, biometric data, digital certificates, tickets, etc.and combinations thereof. After receiving the gathered information 612,the policy engine 236 makes an access control decision based on thereceived information 612.

Referring now to FIG. 6B, a block diagram depicts one embodiment of apolicy engine 236, including a first component 620 comprising acondition database 622 and a logon agent 624, and including a secondcomponent 630 comprising a policy database 632. The first component 620applies a condition from the condition database 622 to informationreceived about client 102 and determines whether the receivedinformation satisfies the condition.

In some embodiments, a condition may require that the client 102 executea particular operating system to satisfy the condition. In someembodiments, a condition may require that the client 102 execute aparticular operating system patch to satisfy the condition. In stillother embodiments, a condition may require that the client 102 provide aMAC address for each installed network card to satisfy the condition. Insome embodiments, a condition may require that the client 102 indicatemembership in a particular Active Directory to satisfy the condition. Inanother embodiment, a condition may require that the client 102 executea virus scanner to satisfy the condition. In other embodiments, acondition may require that the client 102 execute a personal firewall tosatisfy the condition. In some embodiments, a condition may require thatthe client 102 comprise a particular device type to satisfy thecondition. In other embodiments, a condition may require that the client102 establish a particular type of network connection to satisfy thecondition.

If the received information satisfies a condition, the first component620 stores an identifier for that condition in a data set 626. In oneembodiment, the received information satisfies a condition if theinformation makes the condition true. For example, a condition mayrequire that a particular operating system be installed. If the client102 has that operating system, the condition is true and satisfied. Inanother embodiment, the received information satisfies a condition ifthe information makes the condition false. For example, a condition mayaddress whether spyware exists on the client 102. If the client 102 doesnot contain spyware, the condition is false and satisfied.

In some embodiments, the logon agent 624 resides outside of the policyengine 236. In other embodiments, the logon agent 624 resides on thepolicy engine 236. In one embodiment, the first component 620 includes alogon agent 624, which initiates the information gathering about client102. In some embodiments, the logon agent 624 further comprises a datastore. In these embodiments, the data store includes the conditions forwhich the collection agent may gather information. This data store isdistinct from the condition database 622.

In some embodiments, the logon agent 624 initiates information gatheringby executing the collection agent 304. In other embodiments, the logonagent 624 initiates information gathering by transmitting the collectionagent 304 to the client 102 for execution on the client 102. In stillother embodiments, the logon agent 624 initiates additional informationgathering after receiving information 612. In one embodiment, the logonagent 624 also receives the information 612. In this embodiment, thelogon agent 624 generates the data set 626 based upon the receivedinformation 612. In some embodiments, the logon agent 624 generates thedata set 626 by applying a condition from the database 622 to theinformation received from the collection agent 304.

In another embodiment, the first component 620 includes a plurality oflogon agents 624. In this embodiment, at least one of the plurality oflogon agents 624 resides on each network domain from which a client 102may transmit a resource request. In this embodiment, the client 102transmits the resource request to a particular logon agent 624. In someembodiments, the logon agent 624 transmits to the policy engine 236 thenetwork domain from which the client 102 accessed the logon agent 624.In one embodiment, the network domain from which the client 102 accessesa logon agent 624 is referred to as the network zone of the client 102.

The condition database 622 stores the conditions that the firstcomponent 620 applies to received information. The policy database 632stores the policies that the second component 630 applies to thereceived data set 626. In some embodiments, the condition database 622and the policy database 632 store data in an ODBC-compliant database.For example, the condition database 622 and the policy database 632 maybe provided as an ORACLE database, manufactured by Oracle Corporation ofRedwood Shores, Calif. In other embodiments, the condition database 622and the policy database 632 can be a Microsoft ACCESS database or aMicrosoft SQL server database, manufactured by Microsoft Corporation ofRedmond, Wash.

After the first component 620 applies the received information to eachcondition in the condition database 622, the first component transmitsthe data set 626 to second component 630. In one embodiment, the firstcomponent 620 transmits only the data set 626 to the second component630. Therefore, in this embodiment, the second component 630 does notreceive information 612, only identifiers for satisfied conditions. Thesecond component 630 receives the data set 626 and makes an accesscontrol decision by applying a policy from the policy database 632 basedupon the conditions identified within data set 626.

In one embodiment, policy database 632 stores the policies applied tothe received information 612. In one embodiment, the policies stored inthe policy database 632 are specified at least in part by the systemadministrator. In another embodiment, a user specifies at least some ofthe policies stored in the policy database 632. The user-specifiedpolicy or policies are stored as preferences. The policy database 632can be stored in volatile or non-volatile memory or, for example,distributed through multiple servers.

In one embodiment, a policy allows access to a resource only if one ormore conditions are satisfied. In another embodiment, a policy allowsaccess to a resource but prohibits transmission of the resource to theclient 102. Another policy might make connection contingent on theclient 102 that requests access being within a secure network. In someembodiments, the resource is an application program and the client 102has requested execution of the application program. In one of theseembodiments, a policy may allow execution of the application program onthe client 102. In another of these embodiments, a policy may enable theclient 102 to receive a stream of files comprising the applicationprogram. In this embodiment, the stream of files may be stored andexecuted in an isolation environment. In still another of theseembodiments, a policy may allow only execution of the applicationprogram on a server 106, such as an application server, and require theserver 106 to transmit application-output data to the client 102.

Referring now to FIG. 6C, a flow diagram depicts one embodiment of thesteps taken by the policy engine 236 to make an access control decisionbased upon information received about a client 102. Upon receivinggathered information about the client 102 (Step 650), the policy engine236 generates a data set based upon the information (Step 652). The dataset 626 contains identifiers for each condition satisfied by thereceived information 612. The policy engine 236 applies a policy to eachidentified condition within the data set 626. That application yields anenumeration of resources which the client 102 may access (Step 654). Thepolicy engine 236 then presents that enumeration to the client 102. Insome embodiments, the policy engine 236 creates a Hypertext MarkupLanguage (HTML) document used to present the enumeration to the client.

In some embodiments, a determination is made as to a type of connectionto establish when granting access to a resource responsive to adetermination by a policy engine such as the policy engine 236 describedabove in FIG. 6A, FIG. 6B and FIG. 6C. In other embodiments, adetermination is made as to a method for granting access to a resource,such as a method for execution, responsive to a determination by apolicy engine such as the policy engine 236 described above in FIG. 6A,FIG. 6B and FIG. 6C. In other embodiments, the server 106 or appliance200 receiving the credentials and the request to execute the enumeratedapplication further comprises such a policy engine 236.

In one embodiment, one of a plurality of types of access is identified,responsive to a policy, each of the plurality of types of accessassociated with at least one connection characteristic. In oneembodiment, the identification is made responsive to an application of apolicy to the received credentials associated with the client 102. Insome embodiments, the selection is made by a policy engine such as thepolicy engine 236 described above in FIG. 6A, FIG. 6B and FIG. 6C. Inother embodiments, the server 106 or appliance 200 receiving thecredentials and the request to execute the enumerated applicationfurther comprises such a policy engine 236.

In some embodiments, after a server 106 or appliance 200 authorizesaccess to a resource, a client 102 performs a pre-launch analysis of theclient 102. In one of these embodiments, the client 102 performs thepre-launch analysis to confirm authorization to access a resource, or tocomplete the authorization process. In other embodiments, the client 102performs a pre-launch analysis of the client 102 prior to theauthorization decision. In still other embodiments, the client 102performs a pre-launch analysis of the client 102 after receivingauthorization to access a resource but prior to the establishment of aconnection to the resource. In one of these embodiments, the client 102performs a pre-launch analysis of the client 102 after receivingauthorization to access a resource but prior to an identification of atype of connection authorized for use in accessing the resource.

In one embodiment, the client 102 performs the pre-launch analysis priorto retrieving and executing a resource, such as a plurality ofapplication files comprising an application program. In anotherembodiment, the client 102 performs the pre-launch analysis responsiveto a received indication that the pre-launch analysis is a requirementfor authorization to access a resource, such as the plurality ofapplication files comprising an application program. In still anotherembodiment, the client 102 retrieves at least one characteristicrequired for execution of an application program. In yet anotherembodiment, the client 102 receives access information indicating alocation of a file for retrieval by the client 102, the file enumeratingthe at least one characteristic. In some embodiments, the client 102performs the pre-launch analysis after a server 106 or appliance 200selects a method of providing access to a resource and identifying atype of connection to establish between the client and the resource.

The client 102 determines the existence of the at least onecharacteristic on the client 102. In some embodiments, the client 102makes this determination as part of the pre-launch analysis. In oneembodiment, determining the existence of the at least one characteristicon the client 102 includes determining whether a device driver isinstalled on the client 102. In another embodiment, determining theexistence of the at least one characteristic on the client 102 includesdetermining whether an operating system is installed on the client 102.In still another embodiment, determining the existence of the at leastone characteristic on the client 102 includes determining whether aparticular operating system is installed on the client 102. In yetanother embodiment, determining the existence of the at least onecharacteristic on the client 102 includes determining whether aparticular revision level of an operating system is installed on theclient 102.

In some embodiments, determining the existence of the at least onecharacteristic on the client 102 includes determining whether the client102 has acquired authorization to execute an enumerated application. Inone of these embodiments, a determination is made by the client 102 asto whether the client 102 has received a license to execute theenumerated application. In another of these embodiments, a determinationis made by the client 102 as to whether the client 102 has received alicense to receive across an application streaming session a pluralityof application files comprising the enumerated application. In otherembodiments, determining the existence of the at least onecharacteristic on the client 102 includes determining whether the client102 has sufficient bandwidth available to retrieve and execute anenumerated application.

In some embodiments, determining the existence of the at least onecharacteristic on the client 102 includes execution of a script on theclient 102. In other embodiments, determining the existence of the atleast one characteristic on the client 102 includes installation ofsoftware on the client 102. In still other embodiments, determining theexistence of the at least one characteristic on the client 102 includesmodification of a registry on the client 102. In yet other embodiments,determining the existence of the at least one characteristic on theclient 102 includes transmission of a collection agent 304 to the client102 for execution on the client 102 to gather credentials associatedwith the client 102.

In some embodiments, the client 102 makes a request for authorization toexecute an application responsive to a determination that at least onecharacteristic exists on the client 102. In one of these embodiments,the client 102 determines that a plurality of characteristics exist onthe client 102, the plurality of characteristics associated with anenumerated application and received responsive to a request to executethe enumerated application. In another of these embodiments, whether theclient 102 receives authorization for execution of the enumeratedapplication files depends upon existence of the at least onecharacteristic on the client 102. In one embodiment, the client 102received an enumeration of application programs, requested execution ofan enumerated application, and received access information including theat least one characteristic and a launch ticket authorizing theexecution of the enumerated application upon the determination of theexistence of the at least one characteristic on the client 102. In someembodiments, the client 102 executes a second client agent 120′, thesecond client agent 120′ requesting execution of an application on aserver 106, responsive to a determination that the client 102 lacks theat least one characteristic.

Referring now to FIG. 7, a block diagram depicts one embodiment of asystem for authorizing a level of access of a client to a virtualprivate network connection based on a client-side attribute. In briefoverview, the system includes a client 102, a means for transmitting arequest 702, a request 704, an evaluation component 706, a means fortransmitting a response 708, a means for receiving an authorizationassignment 710, and an appliance 200.

The means for transmitting a request 702 transmits from the client 102to the appliance 200 the request for a virtual private networkconnection to a network. In one embodiment, the means for transmitting arequest 702 comprises a transmitter. In another embodiment, the meansfor transmitting a request 702 resides in the client agent 120. In oneembodiment, the means for transmitting a request 702 transmits a requestfor access to a resource, such as an application or server 106, residingon the network. In another embodiment, the means for transmitting arequest 702 transmits a request for a network address on the virtualprivate network. In still another embodiment, the means for transmittinga request 702 transmits the request for the virtual private networkconnection after authenticating the client 102 to the appliance 200. Inyet another embodiment, the means for transmitting a request 702transmits the request prior to the establishment of a controlconnection. In a further embodiment, the appliance 200 establishes thecontrol connection responsive to receiving the request from the client102.

The request 704 is received by the client 102, via a control connectionbetween the client 102 and the appliance 200, for evaluation of at leastone clause of a security string, the at least one clause identifying anobject for evaluation, an attribute of the object, and a pre-requisiteassociated with the attribute. In one embodiment, the request 704includes at least one clause of a security string, the at least oneclause identifying the client as an object for evaluation. In anotherembodiment, the request 704 includes at least one clause of a securitystring, the at least one clause identifying a presence of an applicationprogram on the client as an attribute of the object. In still anotherembodiment, the request 704 includes at least one clause of a securitystring, the at least one clause identifying an absence of an applicationprogram on the client as an attribute of the object. In yet anotherembodiment, the request 704 includes at least one clause of a securitystring, the at least one clause identifying a presence of a version ofan application program on the client as an attribute of the object.

In one embodiment, the request 704 includes at least one clause of asecurity string, the at least one clause identifying an absence of aversion of an application program on the client as an attribute of theobject. In another embodiment, the request 704 includes at least oneclause of a security string, the at least one clause identifying apresence of a required version of an application program on the clientas a pre-requisite. In still another embodiment, the request includes atleast one clause of a security string, the at least one clauseidentifying a presence of an application program on the client as apre-requisite. In yet another embodiment, the request includes at leastone clause of a security string, the at least one clause identifying anabsence of an application program on the client as a pre-requisite. Insome embodiments, the request 704 is sent to the client 102 over thecontrol connection in response to a request by the client for access toa resource or initiation of a connection.

In some embodiments, the kernel on the client 102 receives a securitystring. In one of these embodiments, the kernel identifies one or moreatomic expressions within the security string. In another of theseembodiments, the atomic expressions within the security string areseparated by logical operators. The logical operators may be expressedby, for example, double ampersands indicating that the expressions areconjunctive or double slashes indicating that the expressions aredisjunctive. In still another of these embodiments, the at least oneclause of the security string is an atomic expression within thesecurity string separated from other expressions in the security stringby logical operators. In other embodiments, and as shown in shadow inFIG. 7, the kernel on the client 102 comprises receiver for receivingthe request 704 from the appliance 200 over the control channel. In oneof these embodiments, the kernel transmits all or part of the request tothe evaluation component 706.

In one embodiment, a user of an appliance 200 generates the securitystring. In another embodiment, the appliance 200 adds a generatedsecurity string as a policy. In still another embodiment, the appliance200 adds a generated security string as a policy within an authorizationserver, a policy engine, a firewall, a virtual private network server,or other security appliance. In some embodiments, the appliance 200transmits the generated security string to the client 102 in itsentirety and without re-formatting from the form in which the securitystring was generated. In other embodiments, the appliance 200 transmitsonly portions of the security string to the client 102, such as oneclause or atomic expression at a time. In still other embodiments, theappliance 200 transmits the generated security string to a kernel on theclient 102 for formatting and parsing into atomic expressions.

In one embodiment, a security string is associated with an authorizationgroup. In another embodiment, if a client 102 satisfies a requirementexpressed by the security string, the client 102 is assigned to theauthorization group. In still another embodiment, if a client 102 failsto satisfy a requirement expressed by the security string, the client102 is assigned to the authorization group. In some embodiments, if nosecurity string is assigned to an authorization group, the client 102request is granted without the need for evaluation of a security string.In other embodiments, if no authorization group is assigned to asecurity string, but evaluation of the security string is required bythe appliance 200, the client 102 request is denied.

In one embodiment, a security string is an expression of a policy. Inanother embodiment, and as an example, if a policy requires a client 102to execute a particular personal firewall program or a particularantivirus program before accessing a resource or a establishing a typeof connection, and if the policy assigns the client to a particularauthorization group if the client fails to satisfy the policy, asecurity string expressing the policy may be of the form:“pf_(—)1_ZoneAlarm_(—)4.0.012.013∥pf_(—)1_TrendMicro_(—)11.0.0”—clientsecurityAuthGroupag2.” In still another embodiment, and as a second example, a policy mayrequire a particular revision level of an antivirus program and aparticular process running, and if the policy assigns the client to aparticular authorization group if the client fails to satisfy thepolicy, a security string expressing the policy may be of the form:“av_(—)0_mcafeevirusscan_(—)4.88 &&svc_(—)0_svchost”-clientsecurityAuthGroup ag1.”

In some embodiments, a priority level may be assigned to the securitystring. In one of these embodiments, the appliance 200 may transmit thesecurity string having the highest priority to the client 102. Inanother of these embodiments, and as an example, if the appliance 200identifies the following two security strings:

sa1 -clientsecurity “av_0_mcafeevirusscan_4.88 && svc_0_svchost” -cliensecurityAuthGroup ag1 sa2 -clientsecurity“pf_1_ZoneAlarm_4.0.012.013 || pf_1_TrendMicro_11.0.0” -clientsecurityAuthGroup ag2,the appliance 200 may select the higher priority security string (sa1)over the lower priority string (sa2). In still another of theseembodiments, when a client 102 connects to a vServer 275 on theappliance 200, the appliance 200 evaluates applicable security stringsand identifies the security string to transmit to the client 102.

In other embodiments, a security string may be expressed in the form“object.attribute.prerequisite.” In one of these embodiments, and forexample, the security string may be an expression identifying the client102, a particular application program associated with the client 102 anda prerequisite associated with the program, the expression having thefollowing form:

client.application[mcafeevirusscan].version >= 4.88 &&client.svc[svchost]RUNNINGIn this embodiment, the object is the client 102 (client), the attributeis an antivirus program (application[mcafeevirusscan]), and thepre-requisite is that the application be of at least a particularversion level (version>=4.88). In this embodiment, the security stringcomprises two clauses and the second clause identifies the client 102, aprocess on the client (a service called svchost), and a pre-requisiteassociated with the process (that the svchost process be executing, orrunning, on the client). In this embodiment, the double ampersandindicates that the client must satisfy both of the clauses to satisfythe security string.

In another of these embodiments, and as a second example, the securitystring may comprise an expression having two disjunctive clauses inwhich the client 102 may satisfy one clause or the other to satisfy thesecurity string. In one example of this embodiment, the expression maybe of the following form:

client.application.pf[ZoneAlarm].version >= 4.0.012.013 ||client.application.pf[TrendMicro].version >= 11.0.0.In this embodiment, the client 102 will satisfy the security string ifthe client 102 executes a particular level of a particular personalfirewall (ZoneAlarm version 4.0.012.013 or greater) or if the client 102executes a particular level of a particular antivirus program(TrendMicro version 11.0.0 or greater).

The evaluation component 706 resides on the client 102, identifies theattribute, determines whether the attribute satisfies the pre-requisite,and evaluates the at least one clause. In some embodiments, theevaluation component 706 resides in the client agent 120. In otherembodiments, the kernel of the client 102 provides the functionality ofthe evaluation component 706. In still other embodiments, the kernel ofthe client 102 validates a response provided by the evaluation component706.

In one embodiment, the evaluation component 706 executes a script toevaluate the at least one clause. In another embodiment, the evaluationcomponent 706 is transmitted to the client 102 from the appliance 200.In still another embodiment, the evaluation component 706 is acollection agent, such as a collection agent 304 described above inconnection with FIGS. 4A, 4B, and 4C, the collection agent gatheringinformation associated with the attribute. In yet another embodiment,the evaluation component 706 evaluates the at least one clauseresponsive to the information gathered about the client 102.

In some embodiments, the evaluation component 706 identifies attributesof the client 102. In one of these embodiments, the attributes include,but are not limited to, any of the following: client operating system,presence of service packs, presence of hot fixes on the client,executing services, executing processes, presence of certain files,antivirus software, personal firewall software, anti-spam software,internet security software, and registry configuration. In another ofthese embodiments, the attributes of the client 102 include informationassociated with the client, such as the information described inconnection with the collection agent 304, described above in connectionwith FIG. 6A and FIG. 6B. In still another of these embodiments, theattributes of the client 102 include information associated with theclient and gathered as part of a pre-launch analysis, as describedabove.

In one embodiment, the evaluation component 706 identifies an attributeindicating a presence on the client of one of the following: a versionof an operating system, a service pack of the operating system, arunning service, a running process, and a file. In another embodiment,the evaluation component 706 identifies an attribute indicating apresence on the client of one of the following: antivirus software,personal firewall software, anti-spam software, and internet securitysoftware. In still another embodiment, the evaluation component 706identifies an attribute identifying a version of one of the following:antivirus software, personal firewall software, anti-spam software, andinternet security software. In yet another embodiment, the evaluationcomponent 706 determines that the attribute satisfies the pre-requisiteresponsive to the identification of the attribute.

In some embodiments, as described above, the client 102 performs thepre-launch analysis after a server 106 or appliance 200 selects a methodof providing access to a resource and identifying a type of connectionto establish between the client and the resource. In other embodiments,the client 102 performs a pre-launch analysis of the client 102 prior toan authorization decision by the appliance 200. In other embodiments,the client 102 performs a pre-launch analysis of the client 102 afterreceiving authorization to access a resource but prior to theestablishment of a connection to the resource. In one of theseembodiments, the client 102 performs a pre-launch analysis of the client102 after receiving authorization to access a resource but prior to anidentification of a type of connection authorized for use in accessingthe resource.

In some embodiments depicted by FIG. 6A and FIG. 6B, the client 102performs a pre-launch analysis prior to the identification of a type ofconnection to establish between the client and the resource. In one ofthese embodiments, the client 102 transmits a result of the pre-launchanalysis to the appliance 200. In another of these embodiments, theappliance 200 makes an access control decision, including anidentification of a type of connection to establish between the client102 and a requested resource, responsive to a received result of apre-launch analysis. In other embodiments, the client 102 evaluates asecurity string as part of a pre-launch analysis. In still otherembodiments, the client 102 transmits a result of a pre-launch analysisto a kernel on the client 102. In yet other embodiments, the kernelevaluates a security string responsive to a received result of thepre-launch analysis.

In some embodiments, the kernel on the client 102 receives the securitystring. In one of these embodiments, the kernel identifies a pluralityof clauses in the security string, the clauses separated by logicaloperators. In another of these embodiments, the clauses within thestring are atomic expressions. In still another of these embodiments,the kernel transmits at least one clause to the evaluation component 706for evaluation, the at least one clause comprising an atomic expression.In yet another of these embodiments, the evaluation component 706transmits a result of evaluating the atomic expression to the kernel.

In other embodiments, the kernel on the client 102 receives a result ofan evaluation of at least one clause in the security string from theevaluation component 706. In one of these embodiments, the kernel on theclient 102 evaluates a security string comprising a plurality of clausesresponsive to receiving a plurality of results from the evaluationcomponent 706. In another of these embodiments, the kernel on the client102 comprises the means for transmitting a response 708. In stillanother of these embodiments, the kernel on the client 102 transmits aresult of an evaluation of an entire security string, comprising aplurality of clauses, to the appliance 200.

The means for transmitting a response 708 transmits from the client 102to the appliance 200, via the control connection, a response comprisinga result of the evaluation of the at least one clause by the evaluationcomponent 706. In one embodiment, the means for transmitting a response708 transmits a packet to the appliance 200 with the result of theevaluation. In another embodiment, the means for transmitting a response708 transmits a “1” if the client satisfies the at least one clause or a“0” if the client does not satisfy the at least one clause. In someembodiments, the means for transmitting a response 708 resides on theevaluation component 706. In other embodiments, the means fortransmitting a response 708 resides in the client agent 120. In stillother embodiments, the means for transmitting a response 708 comprises atransmitter residing in the client agent 120 and sending packets overthe control channel.

The means for receiving an authorization assignment 710 receives fromthe appliance 200 at the client 102 an assignment to an authorizationgroup, the assignment determined based on the evaluation of the at leastone clause. In one embodiment, the means for receiving the authorizationassignment 710 receives an assignment made responsive to the result ofevaluation of a second clause by the appliance 200. In anotherembodiment, the means for receiving the authorization assignment 710receives an assignment made responsive to a determination by theappliance 200 that the client 102 lacks a desired attribute. In stillanother embodiment, the means for receiving the authorization assignment710 receives an assignment to an authorization group providingquarantined access to the network via the appliance 200.

In some embodiments, the means for receiving an authorization assignment710 comprises a component residing in the client agent 120. In otherembodiments, the means for receiving an authorization assignment 710resides in a kernel on the client 102. In still other embodiments, themeans for receiving an authorization assignment 710 comprises a receiverin communication with the appliance 200.

In some embodiments, an authorization group to which a user of a client102 belongs is identified by an evaluation of the client 102 and ofattributes of the client 102. In one of these embodiments, a user of aclient 102 requesting access to a network or other resource, orrequesting a connection to a network or a resource on the network, is amember of a group of users, each member in the group authorized toaccess particular resources via particular types of connections. Inanother of these embodiments, a user of a client 102 belongs to adefault authorization group. In still another of these embodiments, theappliance 200 evaluates the client 102 and determines that although theuser of the client 102 is a member of a particular authorization group,the user does not currently satisfy the requirements for membership inthe group, and is therefore not authorized to access the resources thatthe user is typically authorized to use. Alternatively, the appliance200 may evaluate the client 102 and determine that although the user isnot authorized to access particular resources via one type ofconnection, the client 102 may connect via a different type ofconnection. In yet another embodiment, the appliance 200 may evaluatethe client 102 and determine that although the user is not authorized toaccess a particular set of resources, the client 102 may access a subsetof those resources via a particular type of connection, such as via asecure connection to a quarantined network. In some embodiments, anauthorization group may be created for the user of the client 102 uponthe evaluation of the attributes of the client 102. In otherembodiments, the client 102 satisfies the requirements of the applicablesecurity strings and a connection is established according to the rulesor policies of the client 102's default authorization group.

In one embodiment, the means for receiving the authorization assignment710 receives a denial, from the appliance 200, of the client request ifthe security string is not associated with an authorization group. Inanother embodiment, the means for receiving the authorization assignment710 receives a denial, from the appliance 200, of the client request ifa pre-requisite in the security string is not satisfied. In stillanother embodiment, the means for receiving the authorization assignment710 receives an assignment made responsive an evaluation, by theappliance 200, of a second clause of the security string comprising oneor more logical operations.

Referring now to FIG. 8, a flow diagram depicts one embodiment of thesteps taken in a method for authorizing a level of access of a client toa virtual private network connection based on a client-side attribute.In brief overview, an appliance establishes a control connection with aclient upon receiving a client request to establish a virtual privatenetwork connection with a network (step 802). The appliance transmits,via the control connection, a request to the client to evaluate at leastone clause of a security string, the at least one clause including anexpression associated with a client-side attribute (step 804). Theclient transmits, via the control connection, a response to theappliance comprising a result of evaluating the at least one clause bythe client (step 806). The appliance assigns the client to anauthorization group based on the result of evaluation of the at leastone clause (step 808).

Referring now to FIG. 8, and in greater detail, an appliance establishesa control connection with a client upon receiving a client request toestablish a virtual private network connection with a network (step802). In one embodiment, the appliance receives a request from theclient to access a resource on a network, such as a file or application.In another embodiment, the appliance receives a request from the clientto access a server 106. In still another embodiment, the appliancereceives a request for an association between the client and a networkaddress associated with the virtual private network. In yet anotherembodiment, the client initiates establishment of the controlconnection. In some embodiments, the appliance is an appliance 200 asdescribed above.

The appliance transmits, via the control connection, a request to theclient to evaluate at least one clause of a security string, the atleast one clause including an expression associated with a client-sideattribute (step 804). In one embodiment, the appliance transmits therequest to a collection agent on the client, such as a collection agent304 described above, the collection agent gathering informationassociated with the client-side attribute and evaluating the at leastone clause. In another embodiment, the appliance transmits a script tothe client for execution. In still another embodiment, the appliancetransmits a collection agent to the client, the collection agentevaluating the at least one clause.

The client transmits, via the control connection, a response to theappliance comprising a result of evaluating the at least one clause bythe client (step 806). In one embodiment, the client evaluates the atleast one clause. In another embodiment, a collection agent orevaluation component on the client evaluates the at least one clause. Instill another embodiment, the client evaluates the at least one clauseby executing a script. In yet another embodiment, the client gathersinformation associated with the client-side attribute. In a furtherembodiment, the client evaluates the at least one clause responsive tothe gathered information.

In one embodiment, the client identifies a client-side attributeindicating a presence on the client of one of the following: a versionof an operating system, a service pack of the operating system, arunning service, a running process, and a file. In another embodiment,the client identifies a client-side attribute indicating a presence onthe client of one of the following: antivirus software, personalfirewall software, anti-spam software, and internet security software.In still another embodiment, the client identifies a client-sideattribute indicating a version on the client of one of the following:antivirus software, personal firewall software, anti-spam software, andinternet security software.

In one embodiment, the appliance evaluates a second clause of thesecurity string. In another embodiment, the appliance evaluates a clauseof the security string comprising one or more logical operations. Insome embodiments, the appliance receives gathered information associatedwith the client. In one of these embodiments, the appliance receives thegathered information from a collection agent, such as a collection agent304 executing on the client 102 as described above. In another of theseembodiments, the appliance evaluates the second clause of the securitystring responsive to the gathered information.

The appliance assigns the client to an authorization group based on theresult of evaluation of the at least one clause (step 808). In oneembodiment, the appliance determines that the client lacks a desiredclient-side attribute, responsive to the result of the evaluation of theat least one clause. In another embodiment, the appliance assigns theclient to an authorization group providing quarantined access to thenetwork via the appliance. In still another embodiment, the applianceconfigures an authorization policy comprising the security string. Inyet another embodiment, the appliance assigns the authorization policyto the authorization group.

In one embodiment, the appliance denies a login request from a client ifthe security string is not associated with the authorization group. Inanother embodiment, the appliance establishes a virtual private networkconnection with the client in accordance with the authorization group.In still another embodiment, the appliance establishes a virtual privatenetwork connection between the client and a server residing on a virtualprivate network.

In one embodiment, the appliance assigns the client to an authorizationgroup based on an application of a policy to the result of evaluation ofthe at least one clause. In another embodiment, the appliance transmitsthe response comprising the result of the evaluation to a policy engine.In still another embodiment, the appliance assigns the client to anauthorization group based on an application of a policy by the policyengine.

G. Appliance Failover Environment

Referring now to FIG. 9, an embodiment of an environment for providingsession failover between multiple appliances 200 is depicted. In briefoverview, a first appliance 200, referred to as a primary appliance, mayprovide session connectivity between a client and a network 104, such asto a server, on behalf of a user. For example, the first appliance 200may establish as SSL VPN session 905 between the client and a server. Asecond appliance 200′ referred to as a secondary, backup or failoverappliance acts as a failover or backup to the first appliance 200 forproviding session connectivity for the client 102 to a network, or aserver, such as via an SSL VPN session. Upon detection of failure of theprimary appliance 200 in providing session connectivity or networkaccess, the second appliance 200′ becomes the primary appliance 200 toprovide connectivity or access for the client via the session.

The primary appliance 200 sends, transmits, shares or otherwise providesinformation to the secondary appliance 200′ via a connection orcommunication channel referred to as a session failover connection 930.The primary appliance 200 may communicate with the secondary appliance200′ using any type and form of protocol or protocols via the connection930. In one embodiment, the primary appliance 200 makes RPC (remoteprocedure calls) via a TCP or UDP connection. In other embodiments, theprimary appliance 200 and secondary appliance 200′ may communicate usingany type and form of custom or proprietary protocol. In someembodiments, the connection 930 includes a secure, tunneled, encryptedor virtual private network connection, and any type and form ofprotocols thereof. For the example, the connection 930 may include a VPNor SSL VPN connection. In yet another embodiment, the appliance 200 and200′ may communicate via a plurality of session failover connections930. In other embodiments, the appliances may multiple a plurality ofSSL VPN session information and communications via one or moreconnections 930.

The primary appliance 200 may establish the connection 930 with thesecondary appliance 200′ or the secondary appliance 200′ may establishthe connection 930 with the primary appliance 200. The connection 930may be established at any time during operations of the appliances 200,200′. In one embodiment, the appliances establish the connection 930upon startup of either the primary or secondary appliance. In anotherembodiment, the appliances establish the connection 930 upon initiationor during the setup of a session. In some embodiments, the appliancesestablish the connection 930 in response to a command received from auser, system or application. For example, in one case, the appliancesestablish the connection response to configuration information receivedfrom a user. In another embodiment, the appliances establish theconnection 930 in response to triggering or applications of one or morepolicies of a policy engine 236.

A session manager 915 may include any software, hardware or anycombination of software and hardware. The session manager 915 mayinclude any type and form of program, service, task, process orexecutable instructions operating in user mode 202, kernel mode 204 orany combination thereof in the appliance 200. In some embodiments, thesession manager is a vServer 275, or a portion thereof, as depicted anddescribed in conjunction with FIG. 2B. For example, a vServer 275includes any logic, functions, rules, or operations to perform anyembodiments of the session management techniques described herein, suchas SSL VPN session management. In some embodiments, the session manager915 provides or otherwise supports any of the SSL VPN functionality 280,and any embodiments thereof, described in connection with FIG. 2B above.

As also previously described herein in connection with FIG. 4, theappliance 200 may host one or more intranet internet protocol orintranetIP or IIP addresses 282A-282N. The appliance 200 may associateand assign these IIP addresses 282 with a user and/or client Forexample, when connected from a first network 104 to a second network104′ via the appliance 200, the appliance 200 establishes, assigns orotherwise provides an IntranetIP address for the user and/or client 102on the second network 104′. The appliance 200 listens for and receiveson the second or private network 104′ for any communications directedtowards the client 102 using the client's established IntranetIP 282. Inone embodiment, the appliance 200 acts as or on behalf of the client 102on the second private network 104. The appliance 200 may forward to theclient 102 communications from the second network 104′ directed towardsthe IIP address 282.

The appliance 200 and/or 200′ may have a session propagator 910including software, hardware or any combination of software andhardware. The session propagator 910 may include logic, functions,operations or executable instructions, such as a program, service ortask to propagate a session or any information thereof betweenappliances. The session propagator 910 may transmit information of oneor more sessions via the session failover connection. The informationmay include any data identify or specify any one or more of thefollowing: 1) identifier for the session, 2) type of session, 3)configuration of session, 4) type or name of application for thesession, 5) the computing devices participating in the session, such asnetwork identifiers for the devices, 6) any IIP addresses for thesession or users, such as IIP Pool 410, 7) IIP policies 420, 8) IPLWDB450 (see FIG. 4), 9) any users associated with the session 10) anypolicies used for the session, such as names of SSL VPN policies, 11)any end point authorization policies, such as client security stringsused for the session, 12) session state, and/or 13) any session metrics,such as length of the session.

In one embodiment, the primary appliance 200 propagates or synchronizespolicies with the secondary appliance 200′. In some embodiments, thepolicy configuration of the primary appliance 200 is distributed andused in the secondary appliance 200′. In other embodiments, the primaryand secondary appliances are configured with the same policies or withthe same policies applicable to sessions to be handled via failover bythe secondary appliance 200′. In another embodiment, the secondaryappliance 200′ maintains and uses one or more different policies on afailover session.

The session propagator 910 may propagate information for one or moresessions in any form, including one or more objects, data structures, orfiles. The appliance 200 and/or session propagator 910 may packetize anyof this information into one or more network packets and payloadsthereof in a manner in accordance with the protocols used between theappliances. In some embodiments, a first propagator 910 on a firstappliance 200 communicate or interfaces to a second propagator 910 on asecond appliance 200 to provide session information, such as informationfor the second appliance 200′ to create, generate or otherwise establishthe session 905 on the second appliance 200′ as exists on the firstappliance 200.

The session propagator 910 may propagate a session based on one or morepolicies. For example, in one embodiment, the policy engine 236 may havean SSL VPN session applied to a session that indicates the session isnot have a failover or backup session. In some cases, a first set of oneor more sessions may be propagated from one appliance to anotherappliance, while a second set of one or more sessions are not propagatedbetween appliances.

The session propagator 910 may propagate a session from one appliance toanother appliance synchronously or asynchronously. The sessionpropagator 910 may propagate a session during a sequence of operationsof establishing a session, such as an SSL VPN session, on the primaryappliance 200. By way of example, the primary appliance 200 may receiveda request from a client to establish a connection with a server. Inresponse, the appliance 200 creates a session 905 on the appliance 200.The primary appliance 200 may apply any policies to the session, such asany configured SSL VPN policies may be applied to the session. Uponcreation or establishment of the session, the primary appliance 200 viathe session propagator 910 propagates the session to the secondaryappliance 200. The secondary appliance 200′ may establish the secondsession via the session manager 915 and/or session propagator 910 of thesecondary appliance 200′. This may be referred to as a failover orbackup session.

In one embodiment, some portions or information of the session maychange dynamically during the course of using the session or during thelifetime of the session. For example, the appliance 200 and/or sessionmanager 915 may maintain counters for auditing and/or to maintainsession statistics. These counters may change dynamically duringoperation or lifetime of the session. In some embodiments, the sessionpropagator 915 propagates these dynamically changing session informationupon the change in the session. In other embodiments, the sessionpropagator 915 propagates session information, including changed sessioninformation, on a predetermined frequency or time period. In yet anotherembodiment, the session propagator 915 propagates session information,including changed session information, triggered by predeterminedevents. In some embodiments, a first propagator 910 such as a propagatoron the secondary appliance 200′ queries a second propagator 910 such asa propagator on the primary appliance 200 on a predetermined basis, suchas frequency, time or event based.

Upon receipt of session information propagated from the primaryappliance 200, the secondary appliance 200′ may store this informationin memory or to storage. In one embodiment, the secondary appliance 200′and/or session propagator 910 of the secondary appliance 200′ mayre-create or otherwise establish a session on the secondary appliancebased on the session information received from the primary appliance200. In some embodiments, the second appliance 200′ creates or modifiesa session to be a copy of the session on the first appliance. In onecase, the secondary appliance 200′ provides a session having the samesession structure, information and/or configuration as the session onthe primary appliance 200. In another embodiment, the secondaryappliance 200′ updates the session with information, such as dynamic orchanged session information, received from the primary appliance 200.

The session manager 915 may identify, track, maintain, control and/orchange a state of a session, such as any of the following states:active, inactive, disconnected, on hold/suspended, failed, error,backup, etc. In one embodiment, the session manager 915 may identify asession as in an active state. In another embodiment, the sessionmanager 915 may identify or change a session from active to inactive. Insome embodiments, the session manager 915 may identify a session assuspended or change the state of a session from active to suspended. Insome embodiments, the session manager 915 may change the state of asession from suspended to active.

For example, the secondary appliance 200′ may establish a failoversession 905′ for an active session 905 of the primary appliance 200. Thesession manager 915 of the secondary appliance 200′ may identify orestablish this failover session 905′ as inactive or otherwise on hold orsuspended. Upon detection of a failover in the primary appliance 200,the session manager 915 may change the status or state of the failoversession from inactive or suspended to active. In one embodiment, thesession manager 915 changes the state of the failover session to activeupon authorization of the end point, e.g., the client 102, using theclient security strings techniques described herein.

The appliance and/or session manager may control the establishment of asession, access via a session and/or the state of a session via any typeand form of end point authentication and authorization schemes. In someembodiment, the appliance and/or session manager may perform any of thesystems and methods of the client security string end pointauthorization techniques described above in connection with FIGS. 6A-6C,7 and 8. For example, the appliance 200 may transmit a client securitystring to the client based on one or more polices. The client mayevaluate the security string or portion thereof and transmit theevaluation results back to the appliance. Based on the evaluationresults and/or one or more polices, the appliance 200 may authorized theclient 102 to establish a session or to access a network, application orother resource via the session. In some embodiments and described infurther detail below in conjunction with FIG. 11, a secondary appliance200 may activate a failover session upon performing end-point scanningand authorization.

The appliance 200 and/or 200′ may include a failover detector 920. Thefailover detector 920 may include software, hardware or any combinationof software and hardware. The failover detector 920 may include logic,functions, operations or executable instructions, such as a program,service or task to determine a status of an appliance. The failoverdetector 920 may determine if an appliance is operational or running, orotherwise able to service a connection or session 905. The failoverdetector 920 may determine if a condition exists on an appliance 200,200′ such that the management and providing of the session 905 should betransferred from one appliance to another appliance, such as from theprimary appliance 200 to the backup appliance 200′. In one embodiment, afailover detector 920 on appliance 200′ determines the operationalstatus or state of the primary appliance 200. In another embodiment, thefailover detector 920 on appliance 200 determines the operational statusor state of the second appliance 200′. In some embodiments, the failoverdetector 920 on one appliance 200 determines the operational status orstate of the appliance 200 and forwards information on the operationalstatus/state to a second appliance 200′, such as to a second failoverdetector. In other embodiments, the failover detector 920 may bedistributed among two or more appliances or on one or more othercomputing devices 100. In one embodiment, the client agent 120 includesa failover detector 920.

The failover detector 920 may use any type and form of protocol todetermine a status of an appliance 200. In one embodiment, the failoverdetector 920 may send any type of ping or “heartbeat” message to anappliance to determine a status of the appliance. In another embodiment,the failover detector 920 may make an RPC call to determine a status ofan appliance. In some embodiments, the failover detector 920 makes anapplication programming interface (API) call to determine the status ofan appliance. In yet another embodiment, the failover detector obtainsor gets status information of a appliance from a health monitoringprogram, such as the health monitoring program 216 described inconjunction with FIG. 2A.

The failover detector 920 may communicate to or interface with thesession propagator 910 and/or session manager 915 to perform sessionfailover upon detection of an appliance failure. In one embodiment, thefailover detector 920 transmits a message to the session propagator 910and/or session manager 915 to provide notice of a failover situation orcondition. In another embodiment, the failover detector 920 triggers anevent in the session propagator 910 and/or session manager 915 toprovide notice of a failover situation or condition. In otherembodiments, the failover detector 920 makes an API call to the sessionpropagator 910 and/or session manager 915 to provide notice of afailover situation or condition.

Although a single second appliance 200 is depicted in FIG. 9, aplurality of secondary appliances 200′ may be deployed. For example, afirst secondary appliance 200′ may be a failover appliance for a firstprimary appliance 200. A second secondary appliance 200″ may be a backupor failover appliance to the first secondary appliance 200′, and a thirdsecond appliance 200′″ may be a failover appliance for the secondsecondary appliance 200″, and so on. In these embodiments, one or moresessions may be propagated via a daisy chain of multiple failoverappliances. Upon failover of the first primary appliance 200, the firstsecondary appliance 200 may become a primary appliance, such as a secondprimary appliance 200. Upon failover of this second primary appliance(or first secondary appliance, the third secondary appliance becomes aprimary appliance for the session, and so on.

In other embodiments, a secondary appliance 200′ may be a failover orbackup appliance for multiple primary appliances, such as a firstprimary appliance and a second primary appliance. The first primaryappliance and the second primary appliance may each propagate one ormore session, such as SSL VPN session, to the secondary appliance 200′.In some embodiments, a primary appliance 200 may have multiple failoversecondary appliances, such as redundant appliances. For example, aprimary appliance 200 may propagate one or more session to a firstsecondary appliance 200′ and a second secondary appliance 200″. In yetanother embodiment, a primary appliance 200 may propagate a first set ofone or more sessions to a first secondary appliance 200′ and a secondset of one or more sessions to a second secondary appliance 200′.

The detection of failover, propagation of sessions, and/or the transferof the active session from a primary appliance 200 to a secondaryappliance 200′ may occur seamlessly and/or transparently to the clientor user, or the applications using the transferred session. In oneembodiment, the client agent 120 is provided notice of the failoversituation and communicates with the secondary appliance 200′ instead ofthe primary appliance 200. In some embodiments, the client agent 120re-establishes a connection and the session with the secondary appliance200′. For example, upon the client detecting the connection to theprimary appliance 200 has been lost, dropped or otherwise disconnected,the client agent 120 connects to the backup appliance 200′.

In other embodiments, the secondary appliance 200 after failover has thesame network identifier or IP address as the primary appliance. In theseembodiments, the client agent 120 may communicate to the same networkidentifier of an appliance but the secondary appliance 200′ receives thecommunication instead of the primary appliance 200. In some embodiments,the primary appliance 200 intercepts communications between the clientand a server. Upon detection of failover in these embodiments, thesecondary appliance 200′ intercepts the communications instead of theprimary appliance 200.

The appliance 200, 200′ may also include a restoration mechanism orrestorer 945 for restoring or addressing any synchronization issues of auser's IIP address between appliances due to an error, failure or issuewith session propagation. The restorer 945 may include software,hardware or any combination of software and hardware. The restorer 945may be an application, program, library, service, process, task, threador any other type and form of executable instructions. The restorer 945may include recovery logic, function or operations to determine if anIIP address is not synchronized or if there was an error in propagation,and to update the appliance with the appropriate IIP addresses andstates thereof. In one embodiment, the restorer 945 queries anotherappliance to obtain updated IIP address and state information for anentity, such as a user. In some embodiment, the restorer 945 uses anytype and form of address resolution protocol (ARP), such as a gratuitousARP, to resolve IIP address issues or conflicts.

H. Maintaining IIP Address Stickiness Via Failover

Referring now to FIG. 10, an embodiment of steps of a method formaintaining IIP address stickiness during appliance failover of an SSLVPN session is depicted. Using the techniques discussed herein, one ofthe one or more IIP addresses assigned to a user and/or client in theprimary appliance 200 may be used as the IIP address for the user and/orclient after failover in the secondary appliance 200′. In this manner,although a failover condition occurred, the SSL VPN connection mayseamlessly and/or transparently continue using the IIP address of theuser and/or the client. In other situations, when a user connects viathe secondary appliance 200′, the user is assigned an IIP address thatwas assigned to the user via the primary appliance 200.

In brief overview of method 1000, at step 1005, an SSL VPN session isestablished for a user with a first or primary appliance 200. Theappliance 200 assigns the user an IIP address for the session. At step1010, the primary appliance propagates SSL VPN session to a secondaryappliance 200′. The propagated information may include one or more IIPaddresses 282 assigned to or associated with the user, such as a pool ofIIP addresses 410 as depicted in and described with FIG. 4. Thesecondary appliance 200′ may establish a failover session. At step 1015,a failover condition of the primary appliance 200 is detected. At step1020, the secondary appliance 200 receives a request from a client toestablish a second SSL VPN session for the user. At step 1025, thesecondary appliance assigns to the user and/or client a propagated IIPaddress of the user.

In further details, at step 1005, an application or a user on the client102 may request a SSL VPN connection from a first network 104 to asecond network 104′ such as to a server 106 on network 104. In oneembodiment, the client agent 120 transmits a request to the appliance200 to establish the SSL VPN session with the server 106. In someembodiments, the appliance 200 establishes a first transport layerconnection with the client 102 via client 120. In response to therequest, the appliance 200 may establish a second transport layerconnection with the server 106. In one case, the appliance 200 providesan SSL VPN session to the client via the first transport layerconnection. In some embodiments, the appliance 200 may already have anestablished connection with a server. For example, the appliance 200 mayhave one or more pooled transport layer connections to the server 106.In some cases, the client agent 120 transmits a configuration command,e.g., /cfg, to request and establish a SSL VPN session.

The appliance 200 may assign or otherwise provide the user identifiedwith the SSL VPN session with an IIP address 282. The appliance 200 mayuse any of the systems and methods described herein to assign the IIPaddress, such as any of the embodiments described in conjunction withFIG. 4 and FIG. 5 above. The appliance 200 may assign an IIP address 282to a user from a plurality of IIP addresses based on policy, temporaland/or status information. For example, the appliance 200 may assign tothe SSL VPN session a most recently or most frequently used IIP address282. The appliance 200, such as via session manager 915, maintains thestate of the IIP addresses 282 used or assigned to the user. Forexample, the IIP address assigned to the user may be identified as inthe active state. The appliance 200 may also track any temporal andclient information associated with the user assigned IIP address.

Further to step 1005, the appliance 200 may associate, inherit orotherwise apply one or more policies to the SSL VPN session, such as viasession manager 915. In one embodiment, the appliance 200 associates orinherits one or more policies with the SSL VPN session based on theconfiguration of the policy engine 236 at the time of the request and/orestablishment. In another embodiments, the appliance associates orinherits one or more policies with the SSL VPN session based on executedpolicy or policy configuration commands upon the establishment of theSSL VPN session, or any time thereafter.

The appliance 200, such as via session manager 915, may store andmaintain information on the established SSL VPN session in one or moreobjects, data structures tables and/or files. Some portions of thesession information may be static. For example, the session informationis stored upon establishment and not changed thereafter. In some cases,portions of the session information may be dynamic. For example, thesession manager 915 may store and maintain counters for auditing and/orto hold statistics on the session, such as bytes sent/received andtransfer rates. In some embodiments, the appliance 200, such as viasession manager 915, stores session information in a hash table. Forexample, a session cookie may be hashed or used as a key to obtaininformation on a session in a table.

At step 1010, the primary appliance 200 propagates information on theSSL VPN session and/or IIP addresses to the secondary appliance 200′.The primary appliance 200 may transmit or communicate via the failoverconnection 930 to the secondary appliance 200′ to provide anyinformation on the SSL VPN session, IIP address used for the sessionand/or IIP addresses of the user. The primary appliance 200 maycommunicate, marshal or otherwise transfer the data from the one or moreobjects, data structures or files to store and/or maintain the sessionand/or IIP address information.

The primary appliance 200 may propagate the SSL VPN and/or IIP addressinformation at any time upon establishment of the session or any timethereafter. In one embodiment, the primary appliance 200 propagates theSSL VPN and/or IIP address information in an synchronous manner. Forexample, upon establishment of the SSL VPN session by the primaryappliance, the appliance 200 propagates the information to the secondaryappliance 200′. In one embodiment, the primary appliance 200 propagatesthe information to the secondary appliance after the receipt of theconfiguration command, e.g., /cfg command, from the client agentrequesting establishment of the SSL VPN session. In other embodiments,the primary appliance 200 propagates the SSL VPN and/or IIP addressinformation in a asynchronous manner. For example, the primary appliance200 may propagate the information based on a timeout loop.

The primary appliance 200 may propagate SSL VPN and/or IIP addressinformation for each session, asynchronously or synchronously. In somecases, the primary appliance 200 propagates SSL VPN and/or IIP addressinformation for multiple sessions. In one embodiment, the propagation ofmultiple sessions and/or IIP address information may occur subsequentlyto each other. In other embodiments, the propagation of multiple sessionand/or IIP address information may transmitted concurrently via one ormore connections 930. In one case, the propagation of multiple sessionand/or IIP address information is multiplexed over a single connection930.

The primary appliance 200 may propagate any static session and/or IIPaddress information once upon or after establishment of the SSL VPNsession and/or user assigned IIP address. The primary appliance 200 maypropagate any dynamically changed session and/or IIP address informationupon any changes to the session or IIP address information. In anothercase, the primary appliance 200 may propagate any dynamically changedsession and/or IIP address information upon a predetermined frequency orconfigured events.

Upon receipt of any propagated information from the primary appliance200, the secondary appliance 200′ may store the propagated informationin any type and form of objects, data structures, tables and/or files.The session manager 915 may establish the SSL VPN session on thesecondary appliance 200. The session manager 915 may identify thesession as not active. For example, the session manager 915 may put thebackup or failover session on hold. The session manager 915 may alsoestablish one or more IIP addresses for a user based on the propagatedinformation. The session manager 915 may maintain the states of the IIPaddresses based on the activity of the primary or secondary applianceand session of the user. For example, the session manager 915 mayidentify the propagated IIP address as on hold. In another example, theappliance 200′ marks or identifies all the secondary IIP addresses onhold or inactive. In one embodiment, the session manager 915 activatesan SSL VPN session and/or IIP address of a user based on detection of afailover condition from the failover detector.

At step 1015, the primary appliance 200 is detected in a state orcondition to cause failover. The failover detector 920 may detect afailover condition of the primary appliance 200′. The failover detector920 may monitor the state or condition of the primary appliance 200 on apredetermined frequency. In other cases, the failover detector 920 matmonitor the state or condition of the primary appliance 200 based onpredetermined events. In one embodiment, the client agent 120 informsthe failover detector 920 and/or secondary appliance 200′ of the stateor condition of the appliance 200. In another embodiment, the primaryappliance 200, such as via a first failover detector, informs a secondfailover detector 920 and/or secondary appliance 200′ of the state orcondition of the appliance 200.

The failover condition of the primary appliance 200 may be for one ormore SSL VPN sessions or for all sessions. In one embodiment, theprimary appliance 200 may be in a failover state or condition withrespect to a first SSL VPN session. In another embodiment, the primaryappliance 200 may remain active and/or operations for a second SSL VPNsession. For example, a first VIP server 275 of the primary appliance200 may go down while a second VIP server 275 remains active. As such,the secondary appliance 200 may provide backup or failover to all thesessions of the primary appliance or a portion of the sessions. In otherembodiments, a second backup appliance 200″ may provide failoverservices to another portion of the sessions of the primary appliance200.

Upon detection of the failover condition, the secondary appliance 200may change a state of any of the backup or failover sessions. Forexample, the session manger 415 may activate one or more sessions, suchas a session propagated from the primary appliance 200. The secondaryappliance 200 may change the state of any IIP addresses. For example,the session manager 915 may activate one or more IIP addresses. In someembodiments, the secondary appliance 200′ changes the state of anysession and/or IIP address upon request to establish a session via thesecondary appliance 200′.

The appliance 200, 200′ may use any type and form of address resolutionprotocol (ARP) to resolve any IIP addresses. In one embodiment, theappliance 200, 200′ uses a gratuitous ARP to resolve IIP addresses usedby appliances. The appliance may transmit an ARP or gratuitous ARPrequest on a predetermined time period or frequency. The appliance maytransmit an ARP or gratuitous ARP request based on a detection event ofthe failover detector 920. In some embodiments, the appliance transmitsan ARP or gratuitous ARP request based any type and form of schedulingalgorithm such as a staggered yield CPU algorithm. Based on the resultsof the ARP requests, the appliance may activate one or more IIPaddresses.

At step 1020, the client establishes or obtains SSL VPN sessionconnectivity via the secondary appliance 200′. In one embodiment, theclient agent 120 detects or otherwise determines the primary appliance200 is not operational or otherwise no longer servicing or providing thesession. The client 120 is configured and constructed to transmit arequest to the secondary appliance 200′ to establish or re-establish thesession. In some embodiments, the client agent re-establishes theconnection and/or session using a host name or an IP address of theprimary appliance. With the failover detected, the secondary appliance200′ may listen and respond to the IP address or host name. In anotherembodiment, the failover detector 920 or secondary appliance 200′informs the client agent 120 to use the secondary appliance 200′ tocontinue or re-establish the session with the secondary appliance 200′.In yet another embodiment, the client and/or client agent continues touse the session after failover. The secondary appliance 200′ seamlesslyand/or transparently continues to provide or resume the session.

At step 1025, the secondary appliance 200′ assigns to the user for theSSL VPN session an IIP address assigned to the user, such as the IIPaddress assigned during the SSL VPN session provided by the primaryappliance 200. The appliance 200′ provides IIP “stickiness” for the userduring the failover as the session is provided by the backup orsecondary appliance 200′. The appliance 200′ may use any of the systemsand methods described in conjunction FIGS. 4 and 5 to assign ordesignate IIP addresses to a user or client based on the propagated IIPaddress information received from the primary appliance 200.

In some cases, the secondary appliance may assign to the user or clienta most recently used IIP address. In another cases, the secondaryappliance may assign to the user or client a least recently used IIPaddress. In some embodiments, the secondary appliance assigns to theuser or client the most used or one of the most used IIP addresses ofthe user or client. In some embodiments, the secondary appliancedetermines the propagated IIP address to assign to the user or clientresponsive to one or more policies of a policy engine. The secondaryappliance may choose an inactive IIP address and make the IIP addressactive for assigning to the user or client. The second appliance mayresponsive to a policy specify a domain name suffix to append to anidentifier of the user to provide a user domain name for the IIPaddress.

Referring now to FIG. 10B, an embodiment of example IIP propagationscenarios during session failover are depicted. In some cases, the“stickiness” of IIP addresses of a user may become out of sync due toSSL VPN session deletion propagation failure. For example, the IIPaddress “stickiness” may not be maintained in the primary appliances butexists in the secondary appliance. The appliance 200 includes arestoration mechanism 945 to restore the appropriate IIP addressstickiness in such situations.

In view of Example 1 of FIG. 10B, the system may include twoauthenticated, authorized and audited users u1 and u2. These users maybe associated or bound to a group “g”. Group g may have one IIP addressbound or associated with it. Initially, the users u1 and u2 may not havean IIP address bound to the user. In following the transaction of theExample 1 diagram, the user u1 at T1 may establish a SSL VPN sessionwith the primary and be assigned the IIP address of the group. Using thetechniques described herein, the SSL VPN session and IIP address ispropagated at T1 from the primary appliance to the secondary appliance.The user may logout, disconnect or otherwise terminate the session inthe primary appliance 200. The primary appliance 200 may delete thesession also at T2. The propagation of the deleted session may fail atT2 leaving the secondary appliance 200′ having the propagated firstsession of the user and associated IIP address. At this point, thesecondary and primary appliances are out of synch with respect to theSSL VPN session and/or the IIP address. At T3, the user logins into theprimary appliance and gets the same IIP address, and the session and IIPaddress information is propagated to the secondary appliance.

In view of the above example and in one embodiment, the restorer 945determines the out of sync states of the session and/or IIP addressbetween the secondary and primary appliance. The restorer 945 maydeleted the earlier session propagated at T1 and restore the appropriatestickiness. For example, the restore 945 may delete the IIP address fromthe secondary appliance. In another example, the restorer 945 may changethe state of the IIP address from active to inactive or some other nonactive state designator.

In another Example of Example 2 depicted in FIG. 10B, the user u1establishes, at T1, a session with the primary appliance 200 and isassigned a IIP address. At T1, the primary appliance 200 propagates thesession and IIP address information to the secondary appliance 200′. AtT2, the user u1 may log out. The propagation from the primary applianceto secondary appliance may fail. For example, the session of user u1which was terminated may be deleted by the primary appliance. At T3, theuser u2 may establish or re-establish a session with the primaryappliance and reclaim or be assigned the IIP address. The primaryappliance may propagate to the secondary appliance information on thissession of u2 and the assigned IIP address to u2. In one embodiment, theuser u2 may already be assigned the IIP address via the secondary. Thismay create an IIP address conflict.

In view of this second example, the secondary appliance and/or restorer945 may determine if the propagated IIP address is active in thesecondary appliance. If the IIP address is active, then either thesession of u2 on the primary appliance or the session of u2 on thesecondary appliance may be deleted or otherwise deactivated. Then theappliance having the remaining session may reclaim and continue to usethe IIP

I. End Point Reauthorization Upon Failover

Referring now to FIG. 11, an embodiment of steps of a method forperforming end point authorization or re-authorization during appliancefailover of an SSL VPN session is depicted. Using the techniquesdiscussed herein, the secondary appliance 200′ performs end pointre-authorization on the client upon failover although the client mayhave been authorized via the primary appliance 200. In view of thesystems and methods described herein in conjunction with FIGS. 6A-6C, 7and 8, the appliance 200 may use client security strings to perform endpoint authorization. Via the values of one or more client securitystrings, the appliance determines if the client has attributes that meeta predetermined policy for authorization. Depending on the valuesreturned by the client via client agent 120, the appliance 200determined whether or not to authorize the client to connect andestablish an SSL VPN session via the appliance.

As part of the session data and information, the appliance 200 such asvia session manager may store, maintain or track the values of theclient security strings used to perform end point detection andauthorization. In some embodiments, these client security string valuesor end point authorization values are not propagated from the primaryappliance to the secondary appliance. In other embodiments, any clientsecurity string values propagated to a secondary appliance may becomeout of sync or stale. In other cases, the values for the client securitystrings would change if re-obtained or detected from the client. Forexample, one or more attributes or characteristics of the client mayhave changed between the client's establishment of the session with theappliance and the failover. The client may go through one or moresoftware upgrades or de-installs between SSL VPN session login and theoccurrence of a failover. The attributes of the client 102 may be suchthat the values of the client security string may not allow the clientto be authorized in accordance with policy.

The embodiment of steps of method 1100 in FIG. 11 depict a technique forend point detection and authorization to address the issue with securityduring failover based on possible or actual changes to client attributesthat may impact client security strings applied to the transferredsession. In brief overview of method 1100, at step 1105, the primaryperforms end point authorization using client security strings andestablishes an SSL VPN session with a user. The user may be assigned anIIP address. At step 1110, the primary appliance 200 propagates the SSLVPN session information, including client security string expressions tothe secondary appliance 200′. At step 1115, a failover condition of theprimary appliance 200 is detected. At step 1120, the secondary appliance200′ provides SSL VPN session to the client based on propagated sessioninformation. At step 1125, the secondary appliance places thetransferred or failover SSL VPN session on hold until end pointdetection and authorization is performed on the client. At step 1130,the secondary appliance 200′ transmits the propagated client securitystring(s) to the client. The client returns values for the clientsecurity strings. The secondary appliance determines whether or not toauthorized the client for access to the network or server via the SSLVPN session. At step 1135, if the client is authorized the secondaryappliance activates the SSL VPN session. Otherwise, the secondaryappliance maintains the session on hold, deactivates or otherwisedeletes the session.

In further details, at step 1105, an application or a user on the client102 may request a SSL VPN connection from a first network 104 to asecond network 104′ such as to a server 106 on network 104. As discussedabove in connection with step 1005 of FIG. 10A, the client agent 120 mayestablish a connection with the primary appliance 200. The client agent120 may transmit a request to establish an SSL VPN session to a serveror the network via the appliance 200. The appliance 200 may associate,inherit or otherwise apply one or more policies to the session orconnection request from the client, such as any type and form of endpoint authorization policy. In response to the request, the appliance200 in accordance with policy may perform any type and form of end pointdetection and authorization. In some embodiments, the appliance 200performs any of the end point detection and authorization techniquesusing client security strings described above in connection with FIGS.6A-6C, 7 and 8.

Using the client security string techniques described herein, theappliance 200 based on policy transmits a client security string forevaluation to the client agent 120. For example, a client securitystring may in one embodiment be expressed in the form of:

client.application[mcafeevirusscan].version >= 4.88 &&client.svc[svchost]RUNNINGThe client agent 120 evaluates the one or more client security stringsand transmits values for the strings to the appliance 200. Based on thepolicy configuration, the appliance 200 determines whether or not theclient is authorized to establish the SSL VPN session. If the client isauthorized, the appliance 200 establishes and allows the SSL VPN sessionto be used by the client 102. Otherwise, the appliance 200 may deny ordrop the client's request for access via an SSL VPN session.

The appliance 200, such as via session manager 915, may store andmaintain information on the established SSL VPN session, including anyIIP address information, in one or more objects, data structures tablesand/or files. The appliance 200 may store and maintain information onthe client security strings applied to the established SSL VPN sessionand any values thereof. In some embodiments, the appliance 200 tracksthe client security strings used for the session via any pointing orindexing to the applicable policies of the policy engine 236.

At step 1110, the primary appliance 200 propagates information on theSSL VPN session and/or client security strings to the secondaryappliance 200′. The primary appliance 200 may transmit or communicatevia the failover connection 930 to the secondary appliance 200′ toprovide any information on the SSL VPN session, IIP addresses associatedwith the session and/or the client security strings applied or used forthe session. The primary appliance 200 may communicate or transfer thedata from the one or more objects, data structures or files to storeand/or maintain the session and/or IIP address information.

The primary appliance 200 may propagate the SSL VPN and/or clientsecurity string information at any time upon establishment of thesession or any time thereafter. In one embodiment, the primary appliance200 propagates the SSL VPN and/or client security string information inan asynchronous manner. For example, upon establishment of the SSL VPNsession by the primary appliance, the appliance 200 propagates theinformation to the secondary appliance 200′. In one embodiment, theprimary appliance 200 propagates the information to the secondaryappliance after the receipt of the configuration command, e.g., /cfgcommand, from the client agent requesting establishment of the SSL VPNsession. In other embodiments, the primary appliance 200 propagates theSSL VPN and/or or client security string information in an asynchronousmanner. For example, the primary appliance 200 may propagate theinformation based on a timeout loop.

The primary appliance 200 may propagate SSL VPN and/or IIP addressinformation for each session, asynchronously or synchronously. In somecases, the primary appliance 200 propagates SSL VPN and/or or clientsecurity string information for multiple sessions. In one embodiment,the propagation of multiple sessions and/or IIP address information mayoccur subsequently to each other. In other embodiments, the propagationof multiple session and/or or client security string information maytransmitted concurrently via one or more connections 930. In one case,the propagation of multiple session and/or IIP address information ismultiplexed over a single connection 930.

The primary appliance 200 may propagate any policies including theclient security strings to the secondary appliance. The primaryappliance 200 may propagate the policies to the secondary appliance uponappliance startup, policy configuration or binding of the policy to auser, session or other entity. In another case, the primary appliance200 may propagate any changed client security string information upon apredetermined frequency or configured events.

Upon receipt of any propagated information from the primary appliance200, the secondary appliance 200′ may store the propagated informationin any type and form of objects, data structures, tables and/or files.The session manager 915 may establish the SSL VPN session on thesecondary appliance 200. The session manager 915 may identify thesession as not active. For example, the session manager 915 may put thebackup or failover session on hold. The session manager 915 may alsoassociate the propagated client string information for the session basedon the propagated information. In another embodiment, the secondaryappliance 200′ inherits or associates the client security strings fromone or more policies of the policy engine 236 of the secondary appliance200′ associated or bound to the session.

At step 1115, the primary appliance 200 is detected in a state orcondition to cause failover and at step 1120, the second applianceprovides SSL VPN session connectivity for the client. As described inconjunction with FIG. 10A and steps 1015 and 1020, the secondaryappliance uses the propagated information to re-establish an SSL VPNsession for the client 102. For example, the client agent 120establishes the SSL VPN session with the secondary appliance instead ofthe failed primary appliance. The secondary appliance claims thetransferred SSL VPN session and continues the SSL VPN session for theclient. In one embodiment, the user requests to establish the SSL VPNsession via another client.

At step 1125, the secondary appliance places or identifies thetransferred, propagated or established SSL VPN session as on hold orotherwise not active or available for use. The secondary appliance 200′may determine that the session has one or more end point authorizationpolicies or client security strings associated with the session. In oneembodiment, the secondary appliance 200′ determines the failed appliance200 propagated client security information for the session. In someembodiments, the secondary appliance 200′ determines to place thesession on hold responsive to a policy. In yet another embodiment, thesecondary appliance 200′ determines to place the session on hold basedon the type of client security string. In other embodiments, thesecondary appliance 200′ determines to place the session on hold basedon the value of the client security string detected via the primaryappliance and propagated to the secondary appliance. In one embodiment,the secondary appliance 200′ automatically places the SSL VPN session onhold until the client is re-authorized.

At step 1130, the secondary appliance performs end point detection andauthorization on the client for the transferred SSL VPN session. In oneembodiment, the secondary appliance transmits the propagated clientsecurity string(s) to the client agent 120 for evaluation. In someembodiment, the secondary appliance transmits to the client agent oneclient security string from a plurality of propagated client securitystrings. In some cases, the secondary appliance determines which of thepropagated client security strings to obtain updated values or to verifythe values from the client upon failover. In one case, the secondaryappliance may determine that is not required or desired to check thevalue of a client security string after failover. For example, thesecondary appliance may determine the value of the client securitystring may not have changed or is not likely to have changes.

In another embodiment, the secondary appliance transmits the clientsecurity string from any inherited policies or polices bound to the useror session. In some embodiments, the secondary appliance transmitsadditional client security string in conjunction with the propagatedclient security strings. In one embodiment, the secondary appliancemodifies one or more propagated client security strings, or any portionsthereof, by policy or otherwise. In one embodiment, the secondaryappliance combines the propagated client security strings with one ormore client security strings imposed on the session by the secondaryappliance via policy or otherwise.

Further to step 1130, the secondary appliance receives from the clientagent 120 an evaluation of the one or more transmitted client securitystrings. The secondary appliance checks, validates or otherwise comparesthese values to acceptable values indicated by one or more policies ofthe policy engine. The comparison to values specified via policydetermines whether or not the client is authorized for access. Thevalues of the client attributes determined via evaluation of the clientsecurity string may or may not be acceptable in accordance with policy.In another embodiment, the result of evaluation of the client securitystring or series of client security strings determines whether or notthe client is authorized for access. In some embodiments, the secondaryappliance 200 performs evaluation of at least a portion of theexpression of a plurality of client security strings to determineauthorization of the client.

At step 1135, the secondary appliance 200 determines to activate or notactivate the transferred SSL VPN session based on the results of endpoint detection and authorization of the client. If after appliancefailover, the client is re-authorized in accordance with policy, such asvia client security strings, the secondary appliance activates the SSLVPN session put on hold. In one embodiment, the session manager 915responsive to the policy engine and end point authorization changes thestate of the SSL VPN session to active. In another embodiment, thesecondary appliance re-authenticates the user in addition to authorizingthe client. The secondary appliance may activate the SSL VPN sessionbased on re-authentication of the user and re-authorization of theclient.

If after appliance failover, the client is not re-authorized inaccordance with policy, such as failing to provide acceptable values forthe client security strings, the secondary appliance does not activatethe SSL VPN session placed on hold. In one embodiment, the secondaryappliance, such as via session manager 915, maintains the SSL VPNsession on hold. In another embodiment, the secondary appliance, such asvia session manager 915, changes the state of the SSL VPN session toinvalid, inactive or not authorized. In some embodiments, the secondaryappliance, such as via session manager 915, deletes the SSL VPN session.In another embodiment, the secondary appliance de-establishes the SSLVPN session. In one embodiment, the secondary appliance drops ordisconnects the connection with the client responsive to the clientfailing end point authorization. In some embodiments, the secondaryappliance activates the session but limits the user's access based onthe results of the end point detection, such as by placing the user in aquarantined access group.

In view of the structure, functions and operations during failover asdescribed in FIGS. 9-11, the appliance may perform any of the steps ofmethod 1000 and method 1100 in any combination. As such, in someembodiments, the appliance may provide both IIP address “stickiness” forusers during failover as well as end point re-authorization. In thismanner, the systems and method of the appliance described herein providea seamless and/or transparent failover solution that provides continuedand/or additional security measures.

Many alterations and modifications may be made by those having ordinaryskill in the art without departing from the spirit and scope of theinvention. Therefore, it must be expressly understood that theillustrated embodiments have been shown only for the purposes of exampleand should not be taken as limiting the invention, which is defined bythe following claims. These claims are to be read as including what theyset forth literally and also those equivalent elements which areinsubstantially different, even though not identical in other respectsto what is shown and described in the above illustrations.

What is claimed:
 1. A method of maintaining a user's intranet internetprotocol address upon failover of a client's secure socket layer virtualprivate network (SSL VPN) session from a first appliance to a secondappliance, the method comprising the steps of: (a) receiving, by asecond appliance, information from a first appliance, the informationidentifying one or more intranet internet protocol addresses assigned toa first user for accessing a network via a first secure socket layervirtual private network (SSL VPN) session provided by the firstappliance, each of the one or more intranet internet protocol addressesof the first user is independent from an internet protocol addressassigned to a device operated by the first user; (b) detecting, by thesecond appliance, that the first appliance is unavailable to provide thefirst SSL VPN session to the network, and providing, by the secondappliance, SSL VPN connectivity to the network in response to thedetection; (c) receiving, by the second appliance, a request from theclient operated by the first user to establish a second SSL VPN sessionwith the network; and (d) assigning, by the second appliance, to thefirst user a first intranet internet protocol address previouslyassigned to the first user from the one or more intranet internetprotocol addresses as an internet protocol address on the network. 2.The method of claim 1, wherein step (d) comprises assigning, by thesecond appliance, one of a least recently or a most recently usedintranet internet protocol address of the one or more intranet internetprotocol addresses as the first intranet internet protocol address. 3.The method of claim 1, wherein step (d) comprises assigning, by thesecond appliance, one of a least used or a most used intranet internetprotocol address of the one or more intranet internet protocol addressesas the first intranet internet protocol address.
 4. The method of claim1, wherein step (d) comprises assigning, by the second appliance, thefirst intranet internet protocol address from the one or more intranetinternet protocol addresses responsive to a policy of a policy engine.5. The method of claim 1, wherein step (d) comprises determining, by thesecond appliance, an inactive intranet internet protocol address fromthe plurality of multiple intranet internet protocol addresses as thefirst intranet internet protocol address.
 6. The method of claim 1,comprising identifying, by the second appliance, a policy specifying adomain name suffix to append to an identifier of the user to provide auser domain name.
 7. The method of claim 6, comprising associating, bythe second appliance, the user domain name with the first intranetinternet protocol address.
 8. The method of claim 1, wherein step (c)comprises receiving, by the second appliance, one or more client-sideattributes of the client.
 9. The method of claim 8, comprisingassigning, by the second appliance, the client to an authorization groupbased on the one or more client-side attributes.
 10. The method of claim1, wherein step (c) comprises transmitting, by the second appliance, arequest to the client to evaluate at least one clause of the securitystring, the at least one clause including an expression associated witha client-side attribute.
 11. The method of claim 10, comprisingreceiving, by the second appliance, a result of the client's evaluationof the at least one clause, and assigning, by the second appliance, theclient to an authorization group based on the result.
 12. A system formaintaining a user's intranet internet protocol address upon failover ofa client's secure socket layer virtual private network (SSL VPN) sessionfrom a first appliance to a second appliance, the system comprising thesteps of: means for receiving by a second appliance information from afirst appliance, the information identifying one or more intranetinternet protocol addresses assigned to a first user for accessing anetwork via a first secure socket layer virtual private network (SSLVPN) session provided by the first appliance, each of the one or moreintranet internet protocol addresses of the first user is independentfrom an internet protocol address assigned to a device operated by thefirst user; means for detecting by the second appliance that the firstappliance is unavailable to provide the first SSL VPN session to thenetwork, wherein the second appliance provides SSL VPN connectivity tothe network in response to the detection; means for receiving by thesecond appliance a request from the client operated by the first user toestablish a second SSL VPN session with the network; and means forassigning by the second appliance to the first user a first intranetinternet protocol address previously assigned to the first user from theone or more intranet internet protocol addresses as an internet protocoladdress on the network.
 13. The system of claim 12, wherein the secondappliance assigns one of a least recently or a most recently usedintranet internet protocol address of the one or more intranet internetprotocol addresses as the first intranet internet protocol address. 14.The system of claim 12, wherein the second appliance assigns one of aleast used or a most used intranet internet protocol address of the oneor more intranet internet protocol addresses as the first intranetinternet protocol address.
 15. The system of claim 12, wherein thesecond appliance assigns the first intranet internet protocol addressfrom the one or more intranet internet protocol addresses responsive toa policy of a policy engine.
 16. The system of claim 12, wherein thesecond appliance determines an inactive intranet internet protocoladdress from the plurality of multiple intranet internet protocoladdresses as the first intranet internet protocol address.
 17. Thesystem of claim 12, wherein the second appliance identifies a policyspecifying a domain name suffix to append to an identifier of the userto provide a user domain name.
 18. The system of claim 17, wherein thesecond appliance associates the user domain name with the first intranetinternet protocol address.
 19. The system of claim 12, wherein thesecond appliance receives one or more client-side attributes of theclient.
 20. The system of claim 19, wherein the second appliance assignsthe client to an authorization group based on the one or moreclient-side attributes.
 21. The system of claim 12, wherein the secondappliance transmits a request to the client to evaluate at least oneclause of the security string, the at least one clause including anexpression associated with a client-side attribute.
 22. The system ofclaim 12, wherein the second appliance receives a result of the client'sevaluation of the at least one clause, and assigns the client to anauthorization group based on the result.